Password Field with Autocomplete Enabled

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Report generated by XSS.CX at Sun Mar 20 09:17:10 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Password field with autocomplete enabled

1.1. https://account.woot.com/login

1.2. https://account.woot.com/signup

1.3. https://account.woot.com/signup

1.4. https://account.woot.com/signup

1.5. http://app.xmlcontrol.com/signup

1.6. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

1.7. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js

1.8. http://assets.mybcdna.com/JavaScript//apps/Connect/Connect.js

1.9. http://assets.mybcdna.com/JavaScript//apps/Connect/Connect.js

1.10. http://assets.mybcdna.com/JavaScript/apps/Connect/Connect.js

1.11. http://assets.mybcdna.com/JavaScript/apps/Connect/Connect.js

1.12. https://bugzilla.mozilla.org/show_bug.cgi

1.13. https://bugzilla.mozilla.org/show_bug.cgi

1.14. http://digg.com/

1.15. http://digg.com/api/diggthis.js

1.16. http://digg.com/submit

1.17. http://www.connect.facebook.com/widgets/fan.php

1.18. https://www.drivenissanleaf.com/Event/

1.19. http://www.facebook.com/plugins/likebox.php

1.20. http://www.facebook.com/share.php

1.21. http://www.facebook.com/sharer.php

1.22. https://www.facebook.com/login.php

1.23. http://www.lanebryant.com/user/login.jsp

1.24. http://www.lanebryant.com/user/login.jsp

1.25. http://www.livejournal.com/

1.26. http://www.livejournal.com/friends/add.bml

1.27. http://www.livejournal.com/identity/login.bml

1.28. http://www.livejournal.com/manage/settings/

1.29. https://www.livejournal.com/login.bml

1.30. http://www.myyearbook.com/

1.31. http://www.quantcast.com/global/personalHeader

1.32. http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp

1.33. http://www.shockwave.com/ajax/modalLogin.jsp

1.34. http://www.shockwave.com/forgotPassword.jsp

1.35. http://www.shockwave.com/gamelanding/wordrounduphollywood.jsp

1.36. http://www.shockwave.com/games/pod.jsp

1.37. http://www.shockwave.com/home.jsp

1.38. http://www.shockwave.com/online/all-games.jsp

1.39. http://www.shockwave.com/search.jsp


1. Password field with autocomplete enabled
There are 39 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

1.1. https://account.woot.com/login  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://account.woot.com
Path:   /login

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /login HTTP/1.1
Host: account.woot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __gads=ID=68a92d94b49fa8ca:T=1300624474:S=ALNI_MYMGDpiaZCYenCyoYfDzME3mF-6iw; __utmz=87498951.1300624488.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87498951.137914016.1300624488.1300624488.1300624488.2; __utmc=87498951; ASP.NET_SessionId=22t2jnvelpxe2wdtgccitn1b; __utmb=87498951.2.10.1300624488; __qca=P0-1285104554-1300624487224;

Response

HTTP/1.1 200 OK
Cache-Control: public, no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Sun, 20 Mar 2011 14:02:37 GMT
Last-Modified: Sun, 20 Mar 2011 14:02:37 GMT
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 20 Mar 2011 14:02:37 GMT
Connection: close
Content-Length: 13072


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
</h3>
<form action="/login" method="post" target="_parent">
<fieldset>
...[SNIP]...
<dd>
<input class="text" id="password" name="password" type="password" />
<p class="note">
...[SNIP]...
1.2. https://account.woot.com/signup  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://account.woot.com
Path:   /signup

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /signup?returnurl=http%3a%2f%2fwww.woot.com%2fdefault.aspx HTTP/1.1
Host: account.woot.com
Connection: keep-alive
Referer: http://www.woot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=68a92d94b49fa8ca:T=1300624474:S=ALNI_MYMGDpiaZCYenCyoYfDzME3mF-6iw; __qca=P0-1285104554-1300624487224; __utmz=87498951.1300624488.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87498951.137914016.1300624488.1300624488.1300624488.2; __utmc=87498951; __utmb=87498951.2.10.1300624488

Response

HTTP/1.1 200 OK
Cache-Control: public, no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Sun, 20 Mar 2011 13:39:23 GMT
Last-Modified: Sun, 20 Mar 2011 13:39:23 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=kj055u1p4rjlytavdwiqjuth; path=/; HttpOnly
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 20 Mar 2011 13:39:23 GMT
Content-Length: 14055


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
</h3>
<form action="/signup?returnurl=http%3a%2f%2fwww.woot.com%2fdefault.aspx" method="post">
<fieldset>
...[SNIP]...
<dd>
            <input class="text" id="password" name="password" type="password" />
                <p class="note">
...[SNIP]...
<dd>
            <input class="text" id="confirmPassword" name="confirmPassword" type="password" />
                <p class="note">
...[SNIP]...
1.3. https://account.woot.com/signup  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://account.woot.com
Path:   /signup

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /signup HTTP/1.1
Host: account.woot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __gads=ID=68a92d94b49fa8ca:T=1300624474:S=ALNI_MYMGDpiaZCYenCyoYfDzME3mF-6iw; __utmz=87498951.1300624488.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87498951.137914016.1300624488.1300624488.1300624488.2; __utmc=87498951; ASP.NET_SessionId=22t2jnvelpxe2wdtgccitn1b; __utmb=87498951.2.10.1300624488; __qca=P0-1285104554-1300624487224;

Response

HTTP/1.1 200 OK
Cache-Control: public, no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Sun, 20 Mar 2011 14:02:38 GMT
Last-Modified: Sun, 20 Mar 2011 14:02:38 GMT
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 20 Mar 2011 14:02:37 GMT
Connection: close
Content-Length: 14004


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
</h3>
<form action="/signup" method="post">
<fieldset>
...[SNIP]...
<dd>
            <input class="text" id="password" name="password" type="password" />
                <p class="note">
...[SNIP]...
<dd>
            <input class="text" id="confirmPassword" name="confirmPassword" type="password" />
                <p class="note">
...[SNIP]...
1.4. https://account.woot.com/signup  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://account.woot.com
Path:   /signup

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /signup?returnurl=http%3a%2f%2fwww.woot.com%2fBlog%2fdefault.aspx HTTP/1.1
Host: account.woot.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __gads=ID=68a92d94b49fa8ca:T=1300624474:S=ALNI_MYMGDpiaZCYenCyoYfDzME3mF-6iw; __utmz=87498951.1300624488.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87498951.137914016.1300624488.1300624488.1300624488.2; __utmc=87498951; ASP.NET_SessionId=22t2jnvelpxe2wdtgccitn1b; __utmb=87498951.2.10.1300624488; __qca=P0-1285104554-1300624487224;

Response

HTTP/1.1 200 OK
Cache-Control: public, no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Sun, 20 Mar 2011 14:03:38 GMT
Last-Modified: Sun, 20 Mar 2011 14:03:38 GMT
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 20 Mar 2011 14:03:38 GMT
Connection: close
Content-Length: 14062


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
</h3>
<form action="/signup?returnurl=http%3a%2f%2fwww.woot.com%2fBlog%2fdefault.aspx" method="post">
<fieldset>
...[SNIP]...
<dd>
            <input class="text" id="password" name="password" type="password" />
                <p class="note">
...[SNIP]...
<dd>
            <input class="text" id="confirmPassword" name="confirmPassword" type="password" />
                <p class="note">
...[SNIP]...
1.5. http://app.xmlcontrol.com/signup  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://app.xmlcontrol.com
Path:   /signup

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /signup HTTP/1.1
Host: app.xmlcontrol.com
Proxy-Connection: keep-alive
Referer: http://www.xmlcontrol.com/pricing.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=236612510.1300629481.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=236612510.167824158.1300629481.1300629481.1300629481.1; __utmc=236612510; __utmb=236612510.2.10.1300629481

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:58:21 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.8
ETag: "7f80153aaf41206b7a7396086f79a919"
X-Runtime: 70
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _auth_session=6aad020392cd0b3077b2a0576b678aba; path=/; HttpOnly
Status: 200
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13932

<body id="home">    
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta htt
...[SNIP]...
</h1>

<form action="/companies" class="new_user" id="new_user" method="post">

<p>
...[SNIP]...
<br/>
<input id="user_password" name="user[password]" size="30" type="password" /></p>
...[SNIP]...
<br/>
<input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /></p>
...[SNIP]...
1.6. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://assets.0.mybcdna.com
Path:   /JavaScript/apps/HomeBeforeLogin/hblv2.js

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /JavaScript/apps/HomeBeforeLogin/hblv2.js HTTP/1.1
Host: assets.0.mybcdna.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Last-Modified: Wed, 23 Feb 2011 14:08:54 GMT
ETag: "3230255346"
Content-Type: text/javascript
Accept-Ranges: bytes
Date: Sun, 20 Mar 2011 14:03:02 GMT
Server: lighttpd/1.4.19
X-MyPoolMember: 10.100.10.31
Cache-Control: private, max-age=1800
Age: 0
Expires: Sun, 20 Mar 2011 14:33:02 GMT
X-CDN: Cotendo
Connection: close
Content-Length: 272623

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
</h4>';content+='<form method="post" id="login_form" action="'+MyYearbook.URLs.ssl+'login">';content+='<div class="login_fields">
...[SNIP]...
<dd><input type="password" class="text" name="password"/> </dd>
...[SNIP]...
1.7. http://assets.0.mybcdna.com/JavaScript/apps/HomeBeforeLogin/hblv2.js  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://assets.0.mybcdna.com
Path:   /JavaScript/apps/HomeBeforeLogin/hblv2.js

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /JavaScript/apps/HomeBeforeLogin/hblv2.js?64244 HTTP/1.1
Host: assets.0.mybcdna.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Last-Modified: Tue, 15 Mar 2011 14:01:23 GMT
ETag: "3975857351"
Content-Type: text/javascript
Accept-Ranges: bytes
Date: Sun, 20 Mar 2011 12:44:13 GMT
Server: lighttpd/1.4.19
X-MyPoolMember: 10.100.10.31
Cache-Control: private, max-age=1800
Age: 0
Expires: Sun, 20 Mar 2011 13:14:13 GMT
X-CDN: Cotendo
Connection: Keep-Alive
Content-Length: 273014

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...
</h4>';content+='<form method="post" id="login_form" action="'+MyYearbook.URLs.ssl+'login">';content+='<div class="login_fields">
...[SNIP]...
<dd><input type="password" class="text" name="password"/> </dd>
...[SNIP]...
1.8. http://assets.mybcdna.com/JavaScript//apps/Connect/Connect.js  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://assets.mybcdna.com
Path:   /JavaScript//apps/Connect/Connect.js

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /JavaScript//apps/Connect/Connect.js HTTP/1.1
Host: assets.mybcdna.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Last-Modified: Fri, 04 Mar 2011 21:03:45 GMT
ETag: "3340940574"
Content-Type: text/javascript
Accept-Ranges: bytes
Date: Sun, 20 Mar 2011 14:03:04 GMT
Server: lighttpd/1.4.19
Cache-Control: private, max-age=1800
Age: 0
Expires: Sun, 20 Mar 2011 14:33:04 GMT
X-CDN: Cotendo
Connection: close
Content-Length: 74836

window.Connect={connectState:'init',connectId:false,isConnected:false,appAuthorized:false,emailInUse:false,connectService:null,service:null,registrationCallback:false,regData:{},url:null,forceJSONP:fa
...[SNIP]...
</h4>';content+='<form method="post" id="login_form" action="'+MyYearbook.URLs.ssl+'login">';content+='<div class="login_fields">
...[SNIP]...
<dd><input type="password" class="text" name="password"/> </dd>
...[SNIP]...
1.9. http://assets.mybcdna.com/JavaScript//apps/Connect/Connect.js  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://assets.mybcdna.com
Path:   /JavaScript//apps/Connect/Connect.js

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /JavaScript//apps/Connect/Connect.js?64244 HTTP/1.1
Host: assets.mybcdna.com
Proxy-Connection: keep-alive
Referer: http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0xJmxvZ2luX2ZhaWx1cmU9dHJ1ZSZlbWFpbElkPWVtYWls
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Last-Modified: Fri, 18 Mar 2011 22:16:45 GMT
ETag: "291675787"
Content-Type: text/javascript
Accept-Ranges: bytes
Date: Sun, 20 Mar 2011 13:36:38 GMT
Server: lighttpd/1.4.19
Cache-Control: private, max-age=1800
Age: 0
Expires: Sun, 20 Mar 2011 14:06:38 GMT
X-CDN: Cotendo
Connection: Keep-Alive
Content-Length: 75348

window.Connect={connectState:'init',connectId:false,isConnected:false,appAuthorized:false,emailInUse:false,connectService:null,service:null,registrationCallback:false,regData:{},url:null,forceJSONP:fa
...[SNIP]...
</h4>';content+='<form method="post" id="login_form" action="'+MyYearbook.URLs.ssl+'login">';content+='<div class="login_fields">
...[SNIP]...
<dd><input type="password" class="text" name="password"/> </dd>
...[SNIP]...
1.10. http://assets.mybcdna.com/JavaScript/apps/Connect/Connect.js  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://assets.mybcdna.com
Path:   /JavaScript/apps/Connect/Connect.js

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /JavaScript/apps/Connect/Connect.js HTTP/1.1
Host: assets.mybcdna.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Last-Modified: Fri, 04 Mar 2011 21:03:45 GMT
ETag: "3340940574"
Content-Type: text/javascript
Accept-Ranges: bytes
Date: Sun, 20 Mar 2011 14:03:02 GMT
Server: lighttpd/1.4.19
Cache-Control: private, max-age=1800
Age: 0
Expires: Sun, 20 Mar 2011 14:33:02 GMT
X-CDN: Cotendo
Connection: close
Content-Length: 74836

window.Connect={connectState:'init',connectId:false,isConnected:false,appAuthorized:false,emailInUse:false,connectService:null,service:null,registrationCallback:false,regData:{},url:null,forceJSONP:fa
...[SNIP]...
</h4>';content+='<form method="post" id="login_form" action="'+MyYearbook.URLs.ssl+'login">';content+='<div class="login_fields">
...[SNIP]...
<dd><input type="password" class="text" name="password"/> </dd>
...[SNIP]...
1.11. http://assets.mybcdna.com/JavaScript/apps/Connect/Connect.js  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://assets.mybcdna.com
Path:   /JavaScript/apps/Connect/Connect.js

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /JavaScript/apps/Connect/Connect.js?64244 HTTP/1.1
Host: assets.mybcdna.com
Proxy-Connection: keep-alive
Referer: http://live.myyearbook.com/?2e77d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eadfd64910ba=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Last-Modified: Fri, 18 Mar 2011 22:16:45 GMT
ETag: "291675787"
Content-Type: text/javascript
Accept-Ranges: bytes
Date: Sun, 20 Mar 2011 14:10:55 GMT
Server: lighttpd/1.4.19
Cache-Control: private, max-age=1800
Age: 0
Expires: Sun, 20 Mar 2011 14:40:55 GMT
X-CDN: Cotendo
Connection: Keep-Alive
Content-Length: 75348

window.Connect={connectState:'init',connectId:false,isConnected:false,appAuthorized:false,emailInUse:false,connectService:null,service:null,registrationCallback:false,regData:{},url:null,forceJSONP:fa
...[SNIP]...
</h4>';content+='<form method="post" id="login_form" action="'+MyYearbook.URLs.ssl+'login">';content+='<div class="login_fields">
...[SNIP]...
<dd><input type="password" class="text" name="password"/> </dd>
...[SNIP]...
1.12. https://bugzilla.mozilla.org/show_bug.cgi  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://bugzilla.mozilla.org
Path:   /show_bug.cgi

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /show_bug.cgi HTTP/1.1
Host: bugzilla.mozilla.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: pm-app-bugs05
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Strict-transport-security: max-age=2629744; includeSubDomains
Date: Sun, 20 Mar 2011 14:03:14 GMT
Keep-Alive: timeout=300, max=1000
Connection: close
Content-Length: 12477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Search by bug number</title>



...[SNIP]...
</a>
<form action="https://bugzilla.mozilla.org/show_bug.cgi" method="POST"
class="mini_login bz_default_hidden"
id="mini_login_top"
onsubmit="return check_mini_login_fields( '_top' );"
>
<input id="Bugzilla_login_top"
class="bz_login"
name="Bugzilla_login"
onfocus="mini_login_on_focus('_top')"
>
<input class="bz_password"
id="Bugzilla_password_top"
name="Bugzilla_password"
type="password"
>
<input class="bz_password bz_default_hidden bz_mini_login_help" type="text"
id="Bugzilla_password_dummy_top" value="password"
onfocus="mini_login_on_focus('_top')"
>
...[SNIP]...
1.13. https://bugzilla.mozilla.org/show_bug.cgi  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://bugzilla.mozilla.org
Path:   /show_bug.cgi

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /show_bug.cgi HTTP/1.1
Host: bugzilla.mozilla.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: pm-app-bugs05
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Strict-transport-security: max-age=2629744; includeSubDomains
Date: Sun, 20 Mar 2011 14:03:14 GMT
Keep-Alive: timeout=300, max=1000
Connection: close
Content-Length: 12477

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Search by bug number</title>



...[SNIP]...
</a>
<form action="https://bugzilla.mozilla.org/show_bug.cgi" method="POST"
class="mini_login bz_default_hidden"
id="mini_login_bottom"
onsubmit="return check_mini_login_fields( '_bottom' );"
>
<input id="Bugzilla_login_bottom"
class="bz_login"
name="Bugzilla_login"
onfocus="mini_login_on_focus('_bottom')"
>
<input class="bz_password"
id="Bugzilla_password_bottom"
name="Bugzilla_password"
type="password"
>
<input class="bz_password bz_default_hidden bz_mini_login_help" type="text"
id="Bugzilla_password_dummy_bottom" value="password"
onfocus="mini_login_on_focus('_bottom')"

...[SNIP]...
1.14. http://digg.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: d=2a68c798e7a0b259fc8fefdeeca36a98a0266c70c4448c767c1a9ab096ee9ecf; traffic_control=-777143541355773928%3A196;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:03:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=231475 10.2.129.3
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94976


<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- All Topics
- The Latest News Headlines, Videos and Images
</title>

<me
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...
1.15. http://digg.com/api/diggthis.js  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /api/diggthis.js

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /api/diggthis.js HTTP/1.1
Host: digg.com
Proxy-Connection: keep-alive
Referer: http://www.politicaldisgust.com/?cat=37
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=2a68c798e7a0b259fc8fefdeeca36a98a0266c70c4448c767c1a9ab096ee9ecf

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 13:31:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-777143541355773928%3A196; expires=Mon, 21-Mar-2011 13:31:46 GMT; path=/; domain=digg.com
X-Digg-Time: D=21515 10.2.128.255
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 7153

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology, headlin
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...
1.16. http://digg.com/submit  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: d=2a68c798e7a0b259fc8fefdeeca36a98a0266c70c4448c767c1a9ab096ee9ecf; traffic_control=-777143541355773928%3A196;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:03:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=34339 10.2.129.82
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7514

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...
1.17. http://www.connect.facebook.com/widgets/fan.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.connect.facebook.com
Path:   /widgets/fan.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /widgets/fan.php HTTP/1.1
Host: www.connect.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gz=1; datr=VV5oTas0hG1hzk6eclVNNMGO; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Donline.wsj.com%26placement%3Drecommendations%26extra_1%3Dhttp%253A%252F%252Fonline.wsj.com%252Fhome-page%26extra_2%3DUS;

Response

HTTP/1.1 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.32.247.124
Connection: close
Date: Sun, 20 Mar 2011 13:59:26 GMT
Content-Length: 11046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="menu_login_container"><form method="POST" action="https://www.connect.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." />
...[SNIP]...
<td><input type="password" class="inputtext" name="pass" id="pass" tabindex="2" /></td>
...[SNIP]...
1.18. https://www.drivenissanleaf.com/Event/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.drivenissanleaf.com
Path:   /Event/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /Event/ HTTP/1.1
Host: www.drivenissanleaf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62979
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=4huocw55yrsk3d45jf2axi55; path=/; HttpOnly
Date: Sun, 20 Mar 2011 13:59:22 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...
<body>
<form name="aspnetForm" method="post" action="Default.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
<div>
...[SNIP]...
<div class="rowCell"><input name="ctl00$Login1$txtLoginPassword" type="password" maxlength="50" id="ctl00_Login1_txtLoginPassword" style="width:200px;" />
<span id="ctl00_Login1_rfvLoginPassword" title="Password is required." style="color:Red;display:none;">
...[SNIP]...
1.19. http://www.facebook.com/plugins/likebox.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /plugins/likebox.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /plugins/likebox.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gz=1; datr=VV5oTas0hG1hzk6eclVNNMGO; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Donline.wsj.com%26placement%3Drecommendations%26extra_1%3Dhttp%253A%252F%252Fonline.wsj.com%252Fhome-page%26extra_2%3DUS;

Response

HTTP/1.1 404 Not Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.40.94
Connection: close
Date: Sun, 20 Mar 2011 13:59:29 GMT
Content-Length: 11001

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." />
...[SNIP]...
<td><input type="password" class="inputtext" name="pass" id="pass" tabindex="2" /></td>
...[SNIP]...
1.20. http://www.facebook.com/share.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /share.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /share.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gz=1; datr=VV5oTas0hG1hzk6eclVNNMGO; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Donline.wsj.com%26placement%3Drecommendations%26extra_1%3Dhttp%253A%252F%252Fonline.wsj.com%252Fhome-page%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=7zozL; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.132.63
Connection: close
Date: Sun, 20 Mar 2011 13:59:29 GMT
Content-Length: 10159

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="login_form_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1&amp;display=popup" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." />
...[SNIP]...
</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div>
...[SNIP]...
1.21. http://www.facebook.com/sharer.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /sharer.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /sharer.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gz=1; datr=VV5oTas0hG1hzk6eclVNNMGO; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Donline.wsj.com%26placement%3Drecommendations%26extra_1%3Dhttp%253A%252F%252Fonline.wsj.com%252Fhome-page%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=gnmbc; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fsharer.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fsharer.php; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.106.49
Connection: close
Date: Sun, 20 Mar 2011 13:59:30 GMT
Content-Length: 10164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="login_form_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1&amp;display=popup" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." />
...[SNIP]...
</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div>
...[SNIP]...
1.22. https://www.facebook.com/login.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.facebook.com
Path:   /login.php

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /login.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gz=1; datr=VV5oTas0hG1hzk6eclVNNMGO; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Donline.wsj.com%26placement%3Drecommendations%26extra_1%3Dhttp%253A%252F%252Fonline.wsj.com%252Fhome-page%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=VV5oTas0hG1hzk6eclVNNMGO; expires=Tue, 19-Mar-2013 13:59:31 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=sP6uX; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.43.143.81
X-Cnection: close
Date: Sun, 20 Mar 2011 13:59:31 GMT
Connection: close
Content-Length: 15659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div class="login_form_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." />
...[SNIP]...
</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div>
...[SNIP]...
1.23. http://www.lanebryant.com/user/login.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.lanebryant.com
Path:   /user/login.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /user/login.jsp?dest=%2Fuser%2Fmain.jsp HTTP/1.1
Host: www.lanebryant.com
Proxy-Connection: keep-alive
Referer: http://www.lanebryant.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PIPELINE_SESSION_ID=d342b367c0a8bb684adf294095078605; __utmz=162580515.1300624488.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=162580515.1209933332.1300624488.1300624488.1300624488.1; __utmc=162580515; mbox=check#true#1300624549|session#1300624488082-862731#1300626349|PC#1300624488082-862731.17#1301834090; s_cc=true; c_m=undefinedDirect%20LoadDirect%20Load; s_evar32=Lane%20Bryant; s_cpm=%5B%5B%27Direct%20Load%27%2C%271300624489376%27%5D%5D; s_sq=%5B%5BB%5D%5D; LAST_PV=http%3A%2F%2Fwww.lanebryant.com%2Findex.jsp; JSESSIONID=3D67A259779AD3D9101A5768DE3D1ED1

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 20 Mar 2011 13:34:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=200A269C505509A3886FB407C2C9EFA1; Path=/
Content-Length: 63794

<!DOCTYPE html>
<html lang="en">
   <head>
        <link rel="shortcut icon" type="image/x-icon" href="http://www.lanebryant.com/assets/lb/assets/favicon.ico" />

<title>Member Login | Lane Bryant</
...[SNIP]...
<div class="fl">
   <form action="/user/login.cmd" method="post" name="loginForm"><input type='hidden' name='form_state' value='loginForm'/>
...[SNIP]...
</label>
<input class="formField" id="password" name="password" type="password" maxlength="10"/><div style="margin-top: 5px;">
...[SNIP]...
1.24. http://www.lanebryant.com/user/login.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.lanebryant.com
Path:   /user/login.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /user/login.jsp?dest=%2Fuser%2Fmain.jsp HTTP/1.1
Host: www.lanebryant.com
Proxy-Connection: keep-alive
Referer: http://www.lanebryant.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PIPELINE_SESSION_ID=d342b367c0a8bb684adf294095078605; __utmz=162580515.1300624488.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=162580515.1209933332.1300624488.1300624488.1300624488.1; __utmc=162580515; mbox=check#true#1300624549|session#1300624488082-862731#1300626349|PC#1300624488082-862731.17#1301834090; s_cc=true; c_m=undefinedDirect%20LoadDirect%20Load; s_evar32=Lane%20Bryant; s_cpm=%5B%5B%27Direct%20Load%27%2C%271300624489376%27%5D%5D; s_sq=%5B%5BB%5D%5D; LAST_PV=http%3A%2F%2Fwww.lanebryant.com%2Findex.jsp; JSESSIONID=3D67A259779AD3D9101A5768DE3D1ED1

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 20 Mar 2011 13:34:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=200A269C505509A3886FB407C2C9EFA1; Path=/
Content-Length: 63794

<!DOCTYPE html>
<html lang="en">
   <head>
        <link rel="shortcut icon" type="image/x-icon" href="http://www.lanebryant.com/assets/lb/assets/favicon.ico" />

<title>Member Login | Lane Bryant</
...[SNIP]...
<div class="fl">
   <form action="/user/register_from_login.cmd" method="post" name="registerForm"><input type='hidden' name='form_state' value='registerForm'/>
...[SNIP]...
</label>
<input class="formField" id="passwordNewMember" name="passwordNewMember" type="password" maxlength="10"/><p class="tipText">
...[SNIP]...
</label>
<input class="formField" id="verifyPassword" name="verifyPassword" type="password" maxlength="10"/></div>
...[SNIP]...
1.25. http://www.livejournal.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.livejournal.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.livejournal.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljuniq=GdoShltCUTBwAH3:1300624474:pgstats0:m0

Response

HTTP/1.0 200 OK
Date: Sun, 20 Mar 2011 12:35:13 GMT
Server: Apache/2.2.3 (CentOS)
X-AWS-Id: ws48
Set-Cookie: show_sponsored_vgifts=1; path=/; domain=.livejournal.com
Set-Cookie: show_sponsored_vgifts=1; path=/; domain=.livejournal.com
Cache-Control: private, proxy-revalidate
ETag: "9a2035df4ab43323eaa7e4d1ffcb6836"
Vary: Accept-Encoding
Set-Cookie: show_sponsored_vgifts=1; path=/; domain=.livejournal.com
Set-Cookie: show_sponsored_vgifts=1; path=/; domain=.livejournal.com
Keep-Alive: timeout=30, max=100
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Content-Language: en
Content-Length: 49046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<
...[SNIP]...
<div class="lj_loginform" id="Login">
<form style='margin: 0; padding: 0;' method="post" action="https://www.livejournal.com/login.bml?ret=1" id="login" class="lj_login_form">

<input type='hidden' name='mode' value='login' />
...[SNIP]...
<td style='white-space: nowrap;'><input type="password" name="password" size="15" class="lj_login_password" tabindex="2" />
<input type='submit' value="Log in" tabindex='3' />
...[SNIP]...
1.26. http://www.livejournal.com/friends/add.bml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.livejournal.com
Path:   /friends/add.bml

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /friends/add.bml HTTP/1.1
Host: www.livejournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ljuniq=GdoShltCUTBwAH3:1300624474:pgstats0:m0; __utmz=164322722.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); show_sponsored_vgifts=1; __utma=164322722.1766814109.1300624490.1300624490.1300624490.1; __utmc=164322722; __utmb=164322722.1.10.1300624490;

Response

HTTP/1.0 302 Found
Date: Sun, 20 Mar 2011 13:59:39 GMT
Server: Apache/2.2.3 (CentOS)
X-AWS-Id: ws36
Location: http://www.livejournal.com/?returnto=%2Ffriends%2Fadd.bml
Cache-Control: private, proxy-revalidate
ETag: "5c9d963115b3dd64d3f3ee3b50cc6b71"
Content-length: 22195
Connection: close
Content-Type: text/html; charset=utf-8
Content-Language: en


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">


...[SNIP]...
<div class="lj_loginform" id="Login">
<form style='margin: 0; padding: 0;' method="post" action="https://www.livejournal.com/login.bml?ret=1" id="login" class="lj_login_form">

<input type='hidden' name='mode' value='login' />
...[SNIP]...
<td style='white-space: nowrap;'><input type="password" name="password" size="15" class="lj_login_password" tabindex="2" />
<input type='submit' value="Log in" tabindex='3' />
...[SNIP]...
1.27. http://www.livejournal.com/identity/login.bml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.livejournal.com
Path:   /identity/login.bml

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /identity/login.bml HTTP/1.1
Host: www.livejournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ljuniq=GdoShltCUTBwAH3:1300624474:pgstats0:m0; __utmz=164322722.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); show_sponsored_vgifts=1; __utma=164322722.1766814109.1300624490.1300624490.1300624490.1; __utmc=164322722; __utmb=164322722.1.10.1300624490;

Response

HTTP/1.0 200 OK
Date: Sun, 20 Mar 2011 13:59:39 GMT
Server: Apache/2.2.3 (CentOS)
X-AWS-Id: ws21
Cache-Control: private, proxy-revalidate
ETag: "7b765a0bdb306f5e59749587d45f09dc"
Content-length: 25341
Connection: close
Content-Type: text/html; charset=utf-8
Content-Language: en

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<
...[SNIP]...
<div class="lj_loginform" id="Login">
<form style='margin: 0; padding: 0;' method="post" action="https://www.livejournal.com/login.bml?ret=1" id="login" class="lj_login_form">

<input type='hidden' name='mode' value='login' />
...[SNIP]...
<td style='white-space: nowrap;'><input type="password" name="password" size="15" class="lj_login_password" tabindex="2" />
<input type='submit' value="Log in" tabindex='3' />
...[SNIP]...
1.28. http://www.livejournal.com/manage/settings/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.livejournal.com
Path:   /manage/settings/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /manage/settings/ HTTP/1.1
Host: www.livejournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ljuniq=GdoShltCUTBwAH3:1300624474:pgstats0:m0; __utmz=164322722.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); show_sponsored_vgifts=1; __utma=164322722.1766814109.1300624490.1300624490.1300624490.1; __utmc=164322722; __utmb=164322722.1.10.1300624490;

Response

HTTP/1.0 200 OK
Date: Sun, 20 Mar 2011 13:59:40 GMT
Server: Apache/2.2.3 (CentOS)
X-AWS-Id: ws17
Cache-Control: private, proxy-revalidate
ETag: "029f61028660d8683aedff35763a8cee"
Content-length: 25865
Connection: close
Content-Type: text/html; charset=utf-8
Content-Language: en

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<
...[SNIP]...
<div class="lj_loginform" id="Login">
<form style='margin: 0; padding: 0;' method="post" action="https://www.livejournal.com/login.bml?ret=1" id="login" class="lj_login_form">

<input type='hidden' name='mode' value='login' />
...[SNIP]...
<td style='white-space: nowrap;'><input type="password" name="password" size="15" class="lj_login_password" tabindex="2" />
<input type='submit' value="Log in" tabindex='3' />
...[SNIP]...
1.29. https://www.livejournal.com/login.bml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.livejournal.com
Path:   /login.bml

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

POST /login.bml?ret=1 HTTP/1.1
Host: www.livejournal.com
Connection: keep-alive
Referer: http://www.livejournal.com/
Cache-Control: max-age=0
Origin: http://www.livejournal.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljuniq=GdoShltCUTBwAH3:1300624474:pgstats0:m0; show_sponsored_vgifts=1; __utmz=164322722.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=164322722.1766814109.1300624490.1300624490.1300624490.1; __utmc=164322722
Content-Length: 26

mode=login&user=&password=

Response

HTTP/1.0 200 OK
Date: Sun, 20 Mar 2011 13:36:46 GMT
Server: Apache/2.2.3 (CentOS)
X-AWS-Id: ws13
Cache-Control: no-cache, no-cache
ETag: "dedb6bc234fd1e8808e862e0e3bda45c"
Content-length: 15293
Pragma: no-cache
Keep-Alive: timeout=30, max=100
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Content-Language: en
Expires: Sun, 20 Mar 2011 13:36:46 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>

...[SNIP]...
<div class='appwidget appwidget-login' id='LJWidget_42'>
<form action='https://www.livejournal.com/login.bml' method='post' class='lj_login_form pkg'>
<input type='hidden' name='ref' value='http://www.livejournal.com/' />
...[SNIP]...
</label>
<input type='password' id='lj_loginwidget_password' name='password' class='lj_login_password text' size='20' maxlength='30' /><a href='http://www.livejournal.com/lostinfo.bml' class='small-link'>
...[SNIP]...
1.30. http://www.myyearbook.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.myyearbook.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: www.myyearbook.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 12:38:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Set-Cookie: PHPSESSID=801dea07b4525bb09a00f44dbe2a1e38; path=/; domain=.myyearbook.com
Set-Cookie: mybRegTheme=deleted; expires=Sat, 20-Mar-2010 12:38:53 GMT; path=/; domain=.myyearbook.com
Set-Cookie: mybRegData=deleted; expires=Sat, 20-Mar-2010 12:38:53 GMT; path=/; domain=.myyearbook.com
Set-Cookie: mybRegTheme=hbl; expires=Sun, 27-Mar-2011 12:38:54 GMT; path=/; domain=.myyearbook.com
Set-Cookie: mybRegData=%5B%5D; expires=Sun, 27-Mar-2011 12:38:54 GMT; path=/; domain=.myyearbook.com
Set-Cookie: POSTAff2Cookie=HBL; expires=Mon, 19-Mar-2012 12:38:54 GMT; path=/; domain=.myyearbook.com
Set-Cookie: MYB_TARGET=_unknown_1000_____; path=/; domain=.myyearbook.com
Cache-control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8;
X-MyPoolMember: 10.100.10.201
Content-Length: 25700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
</div>
<form method="post" id="login" action="https://ssl.myyearbook.com/login">
<ul>
...[SNIP]...
<li>
<input type="password" class="text" id="login_form_password" name="password"/>
</li>
...[SNIP]...
1.31. http://www.quantcast.com/global/personalHeader  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.quantcast.com
Path:   /global/personalHeader

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

POST /global/personalHeader HTTP/1.1
Host: www.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Origin: http://www.quantcast.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: text/html, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=F8C72CDB444E881F86E48F2534922FBE; __utma=14861494.1792645891.1297862294.1300542320.1300624433.14; __utmb=14861494.1.10.1300624433; __utmc=14861494; __utmv=; qcVisitor=2|47|1297862270597|110|NOTSET
Content-Length: 18

r=0.67874995036982

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: qcVisitor=2|47|1297862270597|111|NOTSET; Expires=Tue, 12-Mar-2041 12:33:54 GMT; Path=/
Set-Cookie: JSESSIONID=61A191C510FAB1968C7AA505026DBEFC; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 934
Date: Sun, 20 Mar 2011 12:33:53 GMT
Connection: close


<span id="header-utility" class="utility">


<ul>
<li class="optout"><a id="searchFormOptOut" href="/opt-out">Opt-Out</a></li>
<li><a href="/privacy" class="privacy">Privacy</a></li>


<li>
<
...[SNIP]...
<div id="miniLogin">


<form id="signupLogin" name="userlogin" action="/user/login" method="post">
<table id="signupLoginTable">
...[SNIP]...
</label>


<input id="password" name="wpPassword" class="loginText" type="password" value="" size="15"/>
</td>
...[SNIP]...
1.32. http://www.reliant.com/en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.reliant.com
Path:   /en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /en_US/Page/Shop/Public/misc_LockedandLow_100_landingpage.jsp HTTP/1.1
Host: www.reliant.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Oracle-iPlanet-Web-Server/7.0
Date: Sun, 20 Mar 2011 14:00:10 GMT
Content-type: text/html;charset=utf-8
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-cookie: UserSessionFilterCookieID=6406DAD9-4C03-016D-EE3B-B76E76D395E6; Expires=Mon, 19-Mar-2012 14:00:10 GMT; Path=/
Set-cookie: JSESSIONID=B6810346BF0DE2ACC17D98141AEEF69B; Path=/
Set-cookie: language_code=en_US; Domain=.reliant.com; Path=/
Set-cookie: i_chronicle_id=090175228036daba
Set-cookie: site_location=Shop; Domain=.reliant.com; Path=/
Set-cookie: CurrentAccountSegment=Generic; Domain=.reliant.com; Path=/
Pragma: no-cache
Via: 1.1 https-www.reliant.com
Proxy-agent: Oracle-iPlanet-Web-Server/7.0
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/en_US/Site_Utilities/css/style_online_enroll.css" />


<form NAME="zipcodelanding" METHOD="POST" action="/PublicResourceDispatcher">

   <DIV id="baseDIV" class="LandingPageTransaction" align="center">
...[SNIP]...
<br/>
<input type="password" name="PASSWORD" value="" size="30" maxlength="50" onpaste="return false" oncontextmenu="return false" class="TextBox"/>

</div>
...[SNIP]...
1.33. http://www.shockwave.com/ajax/modalLogin.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /ajax/modalLogin.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

POST /ajax/modalLogin.jsp HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
Referer: http://www.shockwave.com/home.jsp
Origin: http://www.shockwave.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/xml
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __qca=P0-668179243-1300624455024; mtvn_guid=1299937743-92; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; s_nr=1300624572007; s_cc=true; __cs_rr=1; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; __utmc=153495162; s_ppv=57; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA
Content-Length: 0

Response

HTTP/1.1 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 13:39:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 13:39:23 GMT
Connection: close
Content-Length: 1866


<div id="loginStatic">
   <div id="modalLogin">
       <h2>Sign in on Shockwave</h2>
       <div class="pod podMyShockwave">
           <div class="podContent clearfix">
               <form action="#" method="post" enctype="multipart/form-data" id="modalLoginForm" class="loginForm shockwave">
                   <input type="hidden" name="loginSource" id="loginSource" value="" />
...[SNIP]...
<label class="desc">
                               Password
                               <input type="password" value="" tabindex="152" maxlength="255" name="password" class="signInFormPassword field text medium"/>
                           </label>
...[SNIP]...
1.34. http://www.shockwave.com/forgotPassword.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /forgotPassword.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /forgotPassword.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35623


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
</p>

           <form action="#" method="post" enctype="multipart/form-data" class="loginForm shockwave tightForm">
               <p style="display: none;" class="error">
...[SNIP]...
</label>
                       <input type="password" value="" name="password" id="facebookLinkPassword" class="signInFormPassword field text w120"/>
                       <p>
...[SNIP]...
1.35. http://www.shockwave.com/gamelanding/wordrounduphollywood.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /gamelanding/wordrounduphollywood.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /gamelanding/wordrounduphollywood.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82836


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
</p>

           <form action="#" method="post" enctype="multipart/form-data" class="loginForm shockwave tightForm">
               <p style="display: none;" class="error">
...[SNIP]...
</label>
                       <input type="password" value="" name="password" id="facebookLinkPassword" class="signInFormPassword field text w120"/>
                       <p>
...[SNIP]...
1.36. http://www.shockwave.com/games/pod.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /games/pod.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /games/pod.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36006


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
</p>

           <form action="#" method="post" enctype="multipart/form-data" class="loginForm shockwave tightForm">
               <p style="display: none;" class="error">
...[SNIP]...
</label>
                       <input type="password" value="" name="password" id="facebookLinkPassword" class="signInFormPassword field text w120"/>
                       <p>
...[SNIP]...
1.37. http://www.shockwave.com/home.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /home.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /home.jsp HTTP/1.1
Host: www.shockwave.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Sun, 20 Mar 2011 12:34:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 12:34:14 GMT
Connection: close
Set-Cookie: JSESSIONID=bdeuXmvzkMAan8skJqt7s; domain=.shockwave.com; path=/
Content-Length: 106714


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
</p>

           <form action="#" method="post" enctype="multipart/form-data" class="loginForm shockwave tightForm">
               <p style="display: none;" class="error">
...[SNIP]...
</label>
                       <input type="password" value="" name="password" id="facebookLinkPassword" class="signInFormPassword field text w120"/>
                       <p>
...[SNIP]...
1.38. http://www.shockwave.com/online/all-games.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /online/all-games.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /online/all-games.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 56683


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
</p>

           <form action="#" method="post" enctype="multipart/form-data" class="loginForm shockwave tightForm">
               <p style="display: none;" class="error">
...[SNIP]...
</label>
                       <input type="password" value="" name="password" id="facebookLinkPassword" class="signInFormPassword field text w120"/>
                       <p>
...[SNIP]...
1.39. http://www.shockwave.com/search.jsp  previous

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.shockwave.com
Path:   /search.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /search.jsp HTTP/1.1
Host: www.shockwave.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=adbHr0Y82SFkD9VaJqt7s; __utmz=153495162.1300624455.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pn=%2Fmember%2FavatarViewer.jsp48e63%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eecdcc990455; s_sq=viashockwave%3D%2526pid%253D%25252Fhome.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shockwave.com%25252Fhome.jsp%252523%2526ot%253DA; s_ppv=57; qcDemo=demo%253DD%253Bdemo%253DT%253Bdemo%253D2966%253Bdemo%253D2907%253Bdemo%253D2905%253Bdemo%253D1607%253Bdemo%253D1306%253Bdemo%253D1299%253Bdemo%253D850%253Bdemo%253D848%253Bdemo%253D847%253Bdemo%253D844%253Bdemo%253D792%253Bdemo%253D790%253Bdemo%253D777%253Bdemo%253D775%253Bdemo%253D774; mbox=session#1300624454318-408793#1300626432|check#true#1300624632; s_cc=true; __cs_rr=1; s_nr=1300624572007; __utma=153495162.870092848.1300624455.1300624455.1300624455.1; mtvn_guid=1299937743-92; __utmc=153495162; __utmb=153495162.2.10.1300624455; __qca=P0-668179243-1300624455024;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a Resin/3.1.2
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Expires: Sun, 20 Mar 2011 14:00:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Mar 2011 14:00:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34232


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.
...[SNIP]...
</p>

           <form action="#" method="post" enctype="multipart/form-data" class="loginForm shockwave tightForm">
               <p style="display: none;" class="error">
...[SNIP]...
</label>
                       <input type="password" value="" name="password" id="facebookLinkPassword" class="signInFormPassword field text w120"/>
                       <p>
...[SNIP]...
Report generated by XSS.CX at Sun Mar 20 09:17:10 CDT 2011.