Hoyt LLC Research - http://cloudscan.me and http://xss.cx Proof of Concept - XSS via Cookie in groupon.com March 1, 2011 Bug: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Blog URI with Screen Grab @ http://www.cloudscan.me/2011/03/grouponcom-xss-capec-86-cross-site.html Application Request | GET -------------------------- GET /user_demographics/demographic_form_banner.html?addx=test@fastdial.net&_=1298999611622 HTTP/1.1 Host: www.groupon.com Proxy-Connection: keep-alive Referer: http://www.groupon.com/san-jose/deals/pure-barre-los-gatos-1?utm_medium=email&utm_source=newsletter&c=title&addx=test@fastdial.net&utm_content=san-jose_feed&user=test@fastdial.net&d=deal&divison=san-jose&s=more_deals_for_you&p=0&date=20110301 x-requested-with: XMLHttpRequest content-type: application/x-www-form-urlencoded accept: text/javascript, text/html, application/xml, text/xml, */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: b=2148c93a-394a-11e0-aca6-005056951763; visited=true; _chartbeat2=sq6k5rzuuoqiwvy6; subscriber_email=test%40fastdial.net16b2a4eec7245226; _tpaid=newsletter; adchemy_id=; _tpmed=email; division=san-jose; s=29108ae4-4427-11e0-ae71-005056952866; email=test%40fastdial.net; _thepoint=c34d720c801b2b00e49f006c1240e874; __utmz=44473723.1298999612.2.5.utmcsr=newsletter|utmccn=(not%20set)|utmcmd=email|utmcct=san-jose_feed; __utma=44473723.1103413385.1297805149.1297805149.1298999612.2; __utmc=44473723; __utmv=44473723.|2=Exp-default=1250235324%2F2=1,; __utmb=44473723.1.10.1298999612 Application Response ------------------------ HTTP/1.1 200 OK Server: nginx/0.7.65 Date: Tue, 01 Mar 2011 17:30:46 GMT Content-Type: text/html; charset=utf-8 Set-Cookie: subscriber_email=test%40fastdial.net; path=/; expires=Mon, 01-Mar-2021 17:30:46 GMT Set-Cookie: adchemy_id=; path=/ Set-Cookie: division=san-jose; path=/; expires=Fri, 01-Apr-2011 17:30:46 GMT Set-Cookie: email=test%40fastdial.net; path=/; expires=Mon, 01-Mar-2021 17:30:46 GMT Set-Cookie: mobile=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT Set-Cookie: _thepoint=c34d720c801b2b00e49f006c1240e874; domain=.groupon.com; path=/; expires=Wed, 02 Mar 2011 17:30:46 GMT; HttpOnly Status: 200 ETag: "2fc2bf5967c41756ae4bcae15e19a108" X-Runtime: 41 Cache-Control: private, max-age=0, must-revalidate Connection: close